Solaris – Russian Drug Platform Exposed

01, 12 2023

Introduction

Solaris – Russian Drug Platform Exposed

In late December of last year, Forbes published an article describing the actions of Hold Security against the Russian illegal drug platform Solaris. Today we are releasing additional information and data about this platform, which has been gathered over the past year and has continued up to the time of this publication.

There are certain cyber criminals who evade identification and stay untraceable through conventional means. Nearly a decade ago, we added a vector in our research to trace such criminals by watching their drug deals. While we are not using this capability to monitor the illegal drug trade itself, we are seeing a good percentage of cyber criminals use illegal drugs. This technique always proved to be useful to trace them by monitoring their illegal drug habits.

Hold Security
is an international threat intelligence company that monitors and protects customers against cyber threats and attacks. Our threat intelligence program is based on three main pillars – human intelligence, technology, and artificial intelligence. Combining all three produce incredible results, which prevent and stop cybercrime.

The Illegal Drug Trade in Russia

Russia is a safe haven for illegal drugs and a fertile ground for several dangerous platforms that supply illegal drugs to tens of thousands of users. Use of the Dark Web and technology made a huge difference in the present drug trade. The dealers no longer sit in dark alleys offering their illicit wares to strangers. Instead, drug dealers now use online services to dispatch armies of drug runners who hide various drugs in the middle of normal neighborhoods‘ unassuming areas. They then carefully document the hidden caches through GPS coordinates, pictures, and instructions. By using these new online services, a dealer and a customer never meet face-to-face which creates a better chance for physical safety to both parties. So, how do they find each other then? Drug users locate drugs through several Dark Web platforms that allow dealers to run their own shops and interact with these drug users through a relatively simple web interface.

Most shop names and graphics mimic popular brands, celebrities, or other well recognized gimmicks, to attract more attention to their shops. For example, a shop using imagery of Philipp Kirkorov, a Russian pop singer, offered a variety of illegal drugs. “Djadja Filjua” or “Uncle Phil” is one of hundreds of shops vying for attention of drug users based on locales and types of drugs, number of customers, prices, and even ratings.

Shop code and SQL database - Link

Djadja Filjua shop

Djadja Filjua shop

Emergence of Solaris

A number of such popular platforms have risen to prominence and have disappeared out of existence. However, after the latest demise of the major platform Hydra, only a few popular platforms remain. One such Dark Web drug marketplace, RuTor, emerged from a very popular Russian-language forum, Solaris. Solaris is not a new platform based on this description dated back to 2017:

Solaris – Automated shops with a common catalog. Project by Zanzi. Almost deserted.

Coming out of obscurity, the Solaris gang staged a ruthless attack against RuTor through DDoS and a myriad of other cyber-attacks and cyber threats. This allowed Solaris to clinch the lead in the Russian online illegal drug trade.

Solaris shops operate in a very sophisticated way whereas the drug buyers deposit money into an exchange where it’s stored in bitcoins (illegal in Russia). Every account with funds in it has its own bitcoin wallet and the money gets moved through an exchange which operates like a bank. These accounts hold various balances for payouts to shop owners and other personnel.

Our Research

In July of 2022, Hold Security gained insider-level access into the Solaris infrastructure. This infrastructure was not only complex, but modern and mature. Their security was significantly above average. Harvesting threat intelligence from a drug platform is not simple, but to this day we have managed to stay partially invisible to this malicious group. Hold Security felt that something good needed to come from this. Therefore, we selected a great Ukrainian humanitarian charity to support - Enjoying Life.

Given unhindered access to the Solaris resources, we were able to divert more than 1.5 bitcoins from the Solaris exchange to a bitcoin wallet for this Ukrainian charity. This transaction did not affect the drug user wallets or shop owners but rather specifically targeted the exchange operators themselves. This is just the beginning of Solaris’ demise.

Enjoying Life Ukraine Humanitarian Charity

Enjoying Life helps with the results of the current military aggression including the evacuation of affected people, providing food and food rations, medicine, and hygiene products to those who are in the most in need of assistance.

Solaris and Killnet Partnership

In his October 2022 interview with a Russian publication RT, KillMilk, the founder of Killnet (a Russian hacktivist group attacking Ukraine and its allies) publicly thanked the Solaris group for their “huge support”.

This was a game changer. To date Killnet has not been shy about asking for support, but their affiliation with an illegal drug platform was highly unusual. If anything, Solaris staff should be opposed to the Russian government and its supporters. For example, within the ranks of Solaris there is a threat actor, TonyMontana, who previously operated a stolen credit card shop named “TrumpDumps”. This shop was taken down by the Russian government in February of 2022.

- What kind of support do you have from abroad if there is any?
- I have huge support from my friends at SOLARIS – this is also an aggressive and strong team from the Dark Web. I don’t know where they are from, but I’ve known these professionals for a long time. Thanks for their attention to us, Killnet is moving full steam ahead…

Our Goal

Our goal was formed: to bring public visibility to the Solaris group and highlight their connection to Killnet. Perhaps public attention and research would get us answers about KillMilk and their connection to the Russian drug trade. Does the rest of Killnet support such a leader? Should the public attention and poor control of security force the Solaris group to fade into obscurity and disgrace?

Solaris Lies

Once the bitcoins were diverted from the Solaris exchange, Solaris administration took down much of its infrastructure claiming it was due to a major upgrade. They did their best to deny the Forbes story (except for the money transfer), assuring their customers that their new version would be bigger and better. This was all a lie.

Killnet also blew off the news that its leader was connected to a drug gang. Some Killnet members asked KillMilk to comment, but only cowardly silence followed.

As experts in cyber security, Hold Security did not lose many of its vantage points within the Solaris infrastructure. Therefore, we know that the only updates to the code were a seasonal adaptation of the Solaris logo and some exchange wallet changes.

Hold Security is now releasing Solaris data from much of their infrastructure to call attention to its still vulnerable platform. This data highlights the continued connection and support of Killnet and the Russian illegal drug infrastructure. It also provides cyber security researchers with the information and tools needed to investigate this group further.

Exchange wallet address change

Exchange wallet address change

Tor Nodes and DDoS Guards

The following data includes Ansible scripts and SSH keys for automatized deployment to over 60 servers, including: source code of AntiDDoS Solaris Guard system, redirects from RuTor to Solaris, and Tor load balancer (onionbalance) configuration. This data also includes the Onion Hidden Service Keys. Link

Solaris infrastructure automation

Solaris infrastructure automation

Monitoring Framework

MySQL dump from Zabbix monitoring for part of Solaris infrastructure - Link

Solaris Catalog and Shop GIT – Full Source Code

The most recent (January 11, 2023) copy of Solaris catalog and shop GIT - Link

Solaris GIT repositories

Solaris GIT repositories

Solaris Forums MongoDB Data Folder Dump

While not the latest data from the Solaris forums, this is a treasure trove of information for investigating threat actors in their public and private communications - Link

Solaris forum

Solaris forum

SQL Database from a Number of Solaris Shops

SQL data and Docker containers data from Solaris shops. (Please note that we removed user wallet decryption keys to prevent abuse.) Link

Conclusion

Hold Security is sharing its findings and data from the Russian illegal drug platform, Solaris. In several public statements, the Solaris group has linked themselves to Killnet. Our goal is to raise awareness of Solaris’ misdeeds and connections, as well as to raise questions about the Killnet leadership and their sources of support. The data linked in this article should speak for itself.

Click here to find out more about Hold Security and its Threat Intelligence Services.


Logo
Řešení Threat Intelligence Services Credential Integrity Service Domain Integrity Service Služby posuzování informační bezpečnosti Reakce na incident a vyšetřování
Telefon
+420 770 121 812
Email
info@hstechnology.cz
Sociální sítě
twitter linkedin
Naše kanceláře
Autorská práva © 2024 Hold Security