By András Tóth-Czifra
In the cyber theater, Russia’s war against Ukraine has raged intensely for several years already, and major cyber intrusions into Ukrainian systems accompanied the February invasion, as well. While the weaponization of cybercrime against Western targets has not manifested as feared, the war is remapping the Russian-speaking cyber underground. In a guest essay for Meduza, Flashpoint Intelligence senior analyst András Tóth-Czifra explains how Russia’s invasion has changed this digital hunt for ill-gotten gains.
At the beginning of the February invasion of Ukraine, there was widespread fear that cybercrime would be weaponized against Western organizations, especially given earlier examples of the Russian security services tolerating cybercriminals targeting the West (or even trying to recruit them for service). The U.S.-Russian dialogue on cybercrime, which reportedly led to the arrest of credit-card fraudsters and ransomware affiliates in early 2022, collapsed soon after February 24. The Russian media has hinted repeatedly that either ransomware affiliates or other fraudsters may join Moscow’s offensive cyber operations, but there is no evidence that this has happened yet. “Patriotic hacktivists” have been loud, but not very disruptive.
And yet the war has profoundly changed the Russian-speaking cyber underground.
For a long time, Ukraine was an important and organic part of this space, partly because of its openness to both Russia and Europe. In 2002, the website CarderPlanet, one of the first major Russian-language Internet forums focused on credit-card fraud, hosted the First Worldwide Carders’ Conference in Odesa. Cybercrime operations primarily targeting Western organizations often spanned both Ukraine and Russia. When Russia annexed Crimea and started the war in the Donbas, however, Moscow unleashed a barrage of cyber intrusions into Ukraine’s critical infrastructure.
In the years since, cooperation between Ukraine and the West on matters of cybersecurity has gradually evolved. Ukraine became part of the Budapest Convention on Cybercrime and established a legal framework on public-private cooperation, electronic evidence and discovery, and legal procedures for cybercrime arrests.
Over time, these developments led to new pressure on cybercriminals in Ukraine. In 2019, rumors began circulating on Telegram that Ukraine’s Security Service (SBU) had seized control of the popular cybercrime venue Exploit, while taking down its “bulletproof” hosting provider. At the same time, Ukrainian officials in cooperation with Western law enforcement started arresting ransomware operators and affiliates.
Ukraine would no longer be a refuge for hackers fearing extradition.
Moscow’s full-scale invasion widened this divide even more and caused further disruptions. Hacktivist groups have targeted Russian entities relentlessly since February, resulting in a wealth of leaked information about Russian organizations and state institutions (some of which has already been used in investigative reporting).
Admittedly, data leaks from Russia are hardly new: the combination of an increasingly intrusive state digital surveillance system and persistently high corruption makes it relatively easy to buy and sell sensitive data like police or border-guard information. Even Russia’s own authorities have used data leaks to intimidate opposition activists and protesters. What’s new is the deliberate targeting of Russian organizations and the sheer amount of information leaked, the implications of which can be difficult to see.
Cybercriminals experienced more disruptions in their day-to-day operations. Conti learned this the hard way when administrators publicly endorsed Russia’s invasion and the group’s internal communications were promptly leaked by an unnamed Ukrainian cybersecurity researcher (rumors suggested that disgruntled Ukrainian associates were part of the leaks).
Most cybercriminals have not taken sides in the war (at least openly), and major forums carefully curtail any political discussion, fearing such talk might bring unwanted attention. The new conditions have forced certain adaptations. Some cybercriminals have reportedly used their savings to help relatives affected by the war, while others have struggled to transfer their ill-gotten gains. The developer of “Raccoon,” a popular malware used to steal login credentials, went into hiding from the Ukrainian draft. It’s likely that many cybercriminals have moved to Russia’s “near-abroad,” joining tens of thousands of other I.T. workers who have left the country.
For some, the war has been a business opportunity. The best-known example is “Killnet,” a group that started as hired distributed-denial-of-service (DDoS) attackers but turned itself into pro-Kremlin hacktivists after February 24. By closely following the news cycle and starting a large number of low-impact attacks on Western websites, the group gained notoriety internationally and fame domestically, which helped with recruitment. Kremlin-aligned media also boosted the project with multiple softball interviews. As a result, the group has been able to demand higher prices for DDoS attacks.
The biggest event in the Russian-speaking cyber underground this year came in April when German and U.S. law enforcement took down the Russian-run Hydra Market, the largest Darknet market in the world. Former users and sellers saw this, too, through the prism of the war, even though the operation likely predated the February invasion by several months. Hydra was primarily a platform for drug dealers selling narcotics in Russia and some neighboring states, but it evolved in recent years into a one-stop shop of cybercrime tools, from forged documents to cryptocurrency cashout services, with ambitions that clearly went beyond Russia’s borders.
As the dust cleared following Hydra’s takedown, a vicious fight broke out between the markets hoping to take its place, and Russia’s war in Ukraine has partly shaped this fight, as well. After Hydra fell, rumors spread that the SBU allegedly took control of the RuTor forum — one of the Russian Internet’s oldest Darkweb hangouts where former Hydra sellers and buyers later regrouped. RuTor’s administrators supposedly plotted to run off with some of Hydra’s stashed-away spoils. When Killnet spearheaded a distributed-denial-of-service (DDoS) attack against the forum in August, it justified this by calling it an “odious SBU forum.” Even so, many of the collective’s pro-invasion followers found it perplexing that a “patriotic” group would attack an obscure narco forum. (Interestingly, Killnet’s explanation mirrored claims voiced around the same time by Russian Security Council Deputy Secretary Alexander Grebenkin about the SBU “spreading drugs” in Russia.)
Cybercriminals are masters of adaptation. They have found new sources of living, new means of cashing out, and no doubt new grounds upon which to associate with each other. Money will most likely remain this group’s key driver, but war-related disputes (even if they are only used as a cover in the fight over money) can signal deeper changes in the community, shaping the post-war cyber undergrounds of Ukraine and Russia.
When that dust settles, however, some links may have been severed beyond repair.