How Threat Intelligence Teams Dismantled the Solaris Drug Marketplace

TLDR: This research details how a small team of threat intelligence experts successfully infiltrated and disrupted Solaris, a major Russian dark-web drug marketplace, by exploiting infrastructure vulnerabilities. By gaining administrative access, the team diverted illicit funds to humanitarian aid, demonstrating the power of strategic infrastructure monitoring over traditional takedown methods. Pentesters should note that even hardened dark-web platforms often rely on misconfigured management tools like Ansible and weak SSH key management.

Hacktivism has evolved from simple defacements into a sophisticated component of modern conflict. The rise of groups like Killnet, which emerged in late 2021, signaled a shift where state-aligned actors began leveraging the criminal underground to amplify their reach. For security researchers and penetration testers, the most critical takeaway from this shift is not the volume of DDoS traffic, but the operational reliance these groups have on the very infrastructure they claim to despise.

The Infrastructure Vulnerability

Killnet and its associated platforms, such as the Solaris marketplace, were not built by masterminds. They were built by individuals with varying levels of technical competence who often cut corners on basic security hygiene. During our investigation into Solaris, we found that the platform was not a fortress. It was a collection of misconfigured servers managed through automation frameworks that were left exposed.

The primary vulnerability was not a zero-day in a complex web application, but a failure to secure the management plane. By identifying the infrastructure footprint of the marketplace, we were able to locate the servers running the backend services. We discovered that the platform utilized Ansible for configuration management, and the SSH keys used to manage these nodes were poorly protected.

Once we gained access to the management layer, the entire platform was effectively ours. We did not need to bypass complex WAF rules or exploit obscure memory corruption bugs. We simply used the tools the administrators left behind. This is a common pattern in the criminal underground: attackers are often excellent at social engineering or DDoS, but they are frequently amateurish when it comes to securing their own command-and-control infrastructure.

Technical Execution and Monitoring

The key to this operation was not just the initial access, but the ability to maintain persistence and monitor the platform’s financial flows without alerting the operators. We focused on the platform's transaction processing logic. By analyzing the PHP source code that handled cryptocurrency deposits and withdrawals, we identified the logic that routed funds to the marketplace's internal wallets.

We implemented a hook within the transaction processing script to intercept these calls. Instead of sending the full volume of cryptocurrency to the operators, we redirected a portion of the funds to a wallet controlled by a humanitarian organization. This required a deep understanding of how the platform handled its internal accounting.

// Simplified representation of the transaction routing logic
if ($transaction_type == 'deposit') {
    $target_wallet = $is_humanitarian_event ? $charity_wallet : $admin_wallet;
    process_payment($amount, $target_wallet);
}

This level of precision is only possible when you have full visibility into the server-side code. For a pentester, this highlights the importance of OWASP A01:2021-Broken Access Control. If an attacker can modify the server-side logic, they can subvert the entire business model of the application. In this case, the business model was selling illegal drugs, but the principle remains identical for any e-commerce platform.

Real-World Applicability for Pentesters

When you are conducting an engagement against a client with a large, distributed infrastructure, do not focus solely on the public-facing web application. Look for the management interfaces. Are there exposed Jenkins instances, Ansible controllers, or Kubernetes dashboards? These are the "keys to the kingdom."

During a red team engagement, we often find that clients spend millions on perimeter security but leave their internal management tools wide open. If you can compromise an automation server, you can push malicious configurations to every node in the environment. This is exactly how we maintained control over the Solaris infrastructure. We didn't need to hack every server; we only needed to hack the one that managed them all.

Defensive Strategies

Defenders must treat their management infrastructure with the same level of scrutiny as their production applications. This means implementing strict network segmentation, requiring multi-factor authentication for all administrative access, and rotating SSH keys regularly. If you are using automation tools like Ansible, ensure that the control node is not accessible from the public internet and that all playbooks are stored in a secure, version-controlled repository.

Furthermore, monitoring for unauthorized changes to server-side code is essential. File integrity monitoring (FIM) tools can detect when a script has been modified, providing an early warning that an attacker has gained a foothold. Do not assume that your internal tools are safe just because they are not directly exposed to the end-user.

The disruption of Solaris proved that even the most aggressive hacktivist groups have a soft underbelly. By focusing on the infrastructure that powers these operations, researchers can move beyond reactive defense and start actively dismantling the platforms that enable these threats. The next time you are looking at a target, look past the front-end. The real story is almost always in the back-end configuration.