Russia’s Crackdown: The New Era for Resident Hackers

For the first time in history, the Russian government has been partially cracking down on its cybercriminal underground.

Russian cybercriminals operate everywhere, but Russia has always been the world’s epicenter, primarily thanks to the carte blanche they’re afforded by the state. At best, Russia’s oligarchy has turned a blind eye to cybercrime within its borders. In many cases, state institutions and powerful officials have actively collaborated with, recruited, and otherwise aided Internet criminals.

In a new report, and an exclusive interview with Dark Reading at its Predict conference in Manhattan in early October, Recorded Future hypothesizes that this symbiosis is starting to show cracks. Thanks to some major developments in the West — namely, increased law enforcement against Russian cybercriminals, and improving cybersecurity across sectors — Russia’s law enforcement has been revoking the safe harbor it provides some low-level cybercriminals.

“The key finding here is that Russia is acquiescing a little bit to the West,” says Recorded Future threat intelligence analyst Alex Leslie. “You [once] had that unwritten rule of: if I’m a cyber criminal, as long as I don’t target Russian organizations and individuals, I won’t be prosecuted. That has actually changed.”

Related:Verizon: Mobile Blindspot Leads to Needless Data Breaches

Russia’s motives for doing this are complex and in some ways cloudy. Regardless, whichever direction it continues will carry staggering implications for global cybersecurity.

The Dark Covenant Between Russia and its Cybercriminals

Russia’s cybercriminal underground has always been valuable to the Russian state. It’s a suck on nations adversarial to Russia. It’s a meaningful and endless source of income for young men without promising job prospects, who might otherwise perform domestic crimes. It’s a zero-cost talent pipeline for state institutions that run offensive cyber operations. The state can even outsource its operations to high-level criminal groups, affording it a degree of plausible deniability.

For these reasons and more, the Russian powers have always maintained a social contract with lowly hackers: As long as the hackers don’t attack targets within Russia, they can do whatever they’d like with impunity. The police won’t arrest them, and international police won’t even get a sniff.

In some cases the state doesn’t just ignore hackers, it works with them. Leaked chats indicate that Conti members have enjoyed private flights with Vladimir Ivanovich Plotnikov, a member of the Russian Duma. One member is known to have supplied the Main Intelligence Directorate (GRU) with intelligence related to COVID-19. The group has also attacked known targets of the Russian state, whether by coincidence or coordination.

Related:Streaming Fraud Campaigns Rely on AI Tools, Bots

Leslie adds another example. “In the context of Ukraine, the GRU has various layers of institutionalized cybercrime involved. They inform its offensive operations, and have since 2022. Every layer of that institution relies on cybercrime in order to function properly.”

Breaking with the Covenant

It’s difficult to imagine this dark covenant ever wavering, but developments over the past year indicate that it just might be.

Most notably, in October 2024, Russian authorities raided and arrested nearly 100 people involved with Cryptex and the Universal Automated Payment Service (UAPS), money laundering services for the underground. They seized vehicles, property, and $16 million in Russian rubles.

In an April 2025 case, authorities arrested executives of Aeza Group, a bulletproof hosting provider affiliated with many threat actors and illicit marketplaces. They’ve also tagged hackers associated with the Mamont banking Trojan, and an anti-corruption official who ironically took bribes from the Infraud Organization cybercrime network.

Related:Microsoft Disrupts Ransomware Campaign Abusing Azure Certificates

Even leading members of household ransomware groups like Conti, Lockbit, and REvil have been arrested, though in those cases the flaccid penalties threat actors faced have indicated a lack of seriousness.

This break with precedent is causing serious ripples in the underground. “We see on XSS on Dark Web forums, actors are starting to get scared. Actors are saying: ‘I don’t know if I feel comfortable being on a site like this and speaking Russian anymore.’ ‘I don’t know if I feel comfortable associating with other actors like the initial access brokers (IABs), and the data leak brokers, and the infrastructure-as-a-service (IaaS) providers anymore, that I’ve been accustomed to working with.”

So why has this been happening?

Operation Endgame: a Game Changer

In May 2024, American and European authorities kicked off Operation Endgame, an unprecedented, large-scale effort to crack down on the people and infrastructure supporting worldwide ransomware operations. Russia’s crackdown on cybercriminals began a couple of months thereafter.

This may not have been a coincidence. Recorded Future argues that Operation Endgame raised the diplomatic cost of Russia’s safe harbor policy, and, in a softer sense, extended Western authority while relatively diminishing Russia’s.

Taking action of its own, by this logic, might have served at least two functions for the Kremlin. Outwardly, if only ostensibly, it demonstrated some desire to curtail cybercrime. Inwardly, it reminded the criminals who’s boss — “that we have authority over you, that we have power over you, that you will bend to our will. Specifically in terms of offensive operations abroad: you will fold under Russian intelligence services,” Leslie says.

Rather than burn its most useful assets in the underground, however, the Kremlin has pursued a dual-track approach. In essence: sacrificing some pawns to save its queens. Individuals involved in operations irrelevant to state intelligence — for example, money laundering — have faced apparently serious financial and legal penalties. Those of use to the government — leading botnet and ransomware developers from Conti, Trickbot, etc. — have always ultimately been spared by ersatz courtroom trials ending with no real consequences.

The researchers concluded that “these actions appear designed less to dismantle cybercrime writ large than to manage reputational pressure from the West, protect politically connected threat actors, and signal that Russia, not external powers, controls the boundaries of enforcement.”

Russia Targets Russians for Targeting Russians

“What we’ve noticed, at least since 2022, is an increase in attacks by Russia-based groups on Russian organizations. Ransomware attacks. Spreading malware. Hacktivist groups within Russia targeting Russian organizations,” Leslie says. In this light, it was the cybercriminals who broke the covenant, and the government that responded. “In order for Russia to allow the free market to function, the free market has to have guardrails. And those guardrails, at least within the last two to three years by our measurements, have deteriorated.”

With low confidence, he says, “we speculate that cyber criminal groups are no longer as successful in attacks against Western organizations due to widespread threat intelligence sharing, widespread proliferation of more advanced cybersecurity practices, and cybersecurity regulation.” Between improved law enforcement action and uneven but improving organizational cybersecurity across the Western world, Russian threat actors are reconsidering the much easier targets in their backyards.

Leslie warns that “Russian cybercrime is still flourishing. The Dark Web is still flourishing. That’s not going to change anytime soon. So I would not recommend any shift in defensive posture whatsoever. What I would recommend is watching very closely how disruptive action scatters the threat landscape, and how you need to adapt and diversify your hunting efforts in order to accommodate.”