Russian cybercriminals dominate the threat landscape, aided largely by a government that has heretofore turned a blind eye to their illicit dealings — as long as their attacks target organizations and individuals outside of Mother Russia. However, since Russia's invasion of Ukraine on Feb. 24, the Kremlin has made a series of moves that threatens to disrupt the delicate balance that exists between them.
Without an extradition treaty with the United States, most of these cybercriminals operate with impunity or are nabbed when traveling outside of the United States. But in recent months this has not been the case. Several administrators and hosting providers were arrested in Russia in the past year for allegedly breaking the unspoken agreement between the government and cybercriminals. On Jan. 14, the Federal Security Service of the Russian Federation (FSB), in concert with US authorities, arrested members of the REvil ransomware-as-a-service (RaaS) collective that was responsible for the Kaseya attack. About a week later, the FSB detained four members of the Infraud Organization, including the group's founder, Andrey Novak, who was also wanted by the FBI. Though Russia is responsible for detaining these cybercriminals, these arrests and illicit marketplace takedowns have been few and far between and seem to signal more of a public relations ploy than a formal desire to stop cybercrime that affects its Western counterparts; there is no formal cyber alliance between Russia and the United States.
In some ways, Russian cybercrime has always been different, even in the underground. Russian cybercriminals, often young men, have had the autonomy to target foreign victims and establish various Dark Web-based marketplaces, card shops, and forums that attract like-minded threat actors. Wanted posters for these cybercriminals may very well be accompanied by images that showcase their Instagrammable lifestyles — poses that include expensive luxury automobiles, exotic cats, and stacks on stacks of US dollars.
Connection to Cybercrime
There is a demonstrable connection between the Russian government and cybercrime. Public records show that Alyona Eduardovna Benderskaya is the wife of "Evil Corp" ringleader Maxim Yakubets and daughter of FSB agent Eduard Bendersky. The exotic cat-wielding Bogachev has also been associated with Yakubets regarding money laundering for various malware schemes. Former cybercriminal-cum-FSB officer Dmitry Dokuchaev sought the services of Shaltai-Boltai ringleader Vladimir Anikeyev and Yahoo breachers Alexsey Alexseyevich Belan and Karim Baratov. Dokuchaev was also sentenced to six years in prison for treason, so perhaps there is no love lost there. Aleksei Burkov, founder of cybercrime forum "DirectConnection" and co-administrator of "MazaFaka," was recently released from the United States and returned to Russia short of his nine-year sentence. Despite these indictments, all of these Russia cybercriminals remain at large, housed and protected in Russia.
But Russia may unconsciously be eating its own: Russia's war with Ukraine has resulted in a global effort to isolate Putin and, as a result, Russian cybercriminals are feeling the pressure.
For one, Russia has taken an aggressive stance on Internet blocking, which has increased since the start of the war and is affecting the ways in which cybercriminals operate. News and social media websites are actively being censored to create a filter bubble within Russia's borders. Previous reports indicate that Russia has attempted to block Internet protocols such as DNS over HTTPs (DoH) and DNS over TLS (DoT), threatening the security and privacy of Internet communications. Russia is also blocking access to the Tor network, which is having an effect on freedom of speech and the landscape through which cybercriminals can communicate. While dissidents are downloading VPNs in greater numbers, threat actors are actively seeking workarounds that bypass Russia's deep packet inspection (DPI) capability. Threat actor recommendations include "anti-DPI" technology, Tor bridges, and VPN-to-VPN services, though the effectiveness of these countermeasures remains to be seen.
Secondly, Russia previously faltered in implementing its "sovereign Internet," finding difficulty in going from an open global Internet to a closed one. Cybercriminals may be able to gamble on Russia unsuccessfully disconnecting from the Internet. While countries like China have been more successful in closing their borders to disinformation, dissent, and foreign influence, it has come at the cost of vast human, technical, and financial resources. Other examples, such as Iran's walled garden and North Korea's restricted Internet, have demonstrated that cybercrime can persist, though usually it is at the behest of the government.
Thirdly, foreign governments are also making it difficult for Russian cybercriminals to cash out and launder the proceeds of their criminal campaigns. On April 5, German law enforcement, in concert with the US Justice Department, shut down Hydra, Russia's largest cybercrime marketplace. The Treasury Department's Office of Foreign Assets Control (OFAC) followed by sanctioning over 100 cryptocurrency addresses and virtual currency exchange Garantex. The sanctions followed a September 2021 initiative to disrupt ransomware payments by sanctioning Suex, and then Chatex, which have helped facilitate ransomware payments to threat actors. All three were tied to the "Moscow tower," which has been a hub of money laundering and cash-out activity. These sanctions are affecting cybercriminals' ability, in combination with sanctions against Russian financial institutions, to move cryptocurrencies from illicit activities (such as ransomware payouts) into fiat currencies.
Changing Face of Cybercrime
Cybercrime has a way of transforming. When one threat actor group is taken offline, another one takes its spot. There has never been a shortage of victims, and despite increased cybersecurity, there are always loopholes that can be exploited. Russian cybercriminals will have a difficult time overcoming the recent sanctions, although they are not a panacea. Russia has benefited from an overly permissive stance on cybercrime, and cybercriminals have acted with impunity. However, the increased restrictions on protocols, illicit services, and cybercrime marketplaces will make it increasingly difficult to financially benefit from conducting cyberattacks within Russia's borders. The implicit treaty between Russia and cybercriminals has been broken, and it is yet to be seen how they respond.