Russia Pivots, Cracks Down on Resident Hackers TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsFlawed Vendor Guidance Exposes Enterprises to Avoidable RiskFlawed Vendor Guidance Exposes Enterprises to Avoidable RiskbyDan AndrewOct 20, 20253 Min ReadApplication SecuritySelf-Propagating GlassWorm Attacks VS Code Supply ChainSelf-Propagating GlassWorm Attacks VS Code Supply ChainbyElizabeth Montalbano, Contributing WriterOct 20, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLThreat IntelligenceVulnerabilities & ThreatsCybersecurity AnalyticsCyber RiskNewsRussia Pivots, Cracks Down on Resident HackersRussia Pivots, Cracks Down on Resident HackersRussia Pivots, Cracks Down on Resident HackersThanks to improving cybersecurity and law enforcement action from the West, Russia's government is reevaluating which cybercriminals it wants to give safe haven from the law.Nate Nelson, Contributing WriterOctober 22, 20256 Min ReadSource: Zoonar GmbH via Alamy Stock PhotoFor the first time in history, the Russian government has been partially cracking down on its cybercriminal underground.Russian cybercriminals operate everywhere, but Russia has always been the world's epicenter, primarily thanks to the carte blanche they're afforded by the state. At best, Russia's oligarchy has turned a blind eye to cybercrime within its borders. In many cases, state institutions and powerful officials have actively collaborated with, recruited, and otherwise aided Internet criminals.In a new report, and an exclusive interview with Dark Reading at its Predict conference in Manhattan in early October, Recorded Future hypothesizes that this symbiosis is starting to show cracks. Thanks to some major developments in the West — namely, increased law enforcement against Russian cybercriminals, and improving cybersecurity across sectors — Russia's law enforcement has been revoking the safe harbor it provides some low-level cybercriminals."The key finding here is that Russia is acquiescing a little bit to the West," says Recorded Future threat intelligence analyst Alex Leslie. "You [once] had that unwritten rule of: if I'm a cyber criminal, as long as I don't target Russian organizations and individuals, I won't be prosecuted. That has actually changed."Related:Verizon: Mobile Blindspot Leads to Needless Data BreachesRussia's motives for doing this are complex and in some ways cloudy. Regardless, whichever direction it continues will carry staggering implications for global cybersecurity.The Dark Covenant Between Russia and its CybercriminalsRussia's cybercriminal underground has always been valuable to the Russian state. It's a suck on nations adversarial to Russia. It's a meaningful and endless source of income for young men without promising job prospects, who might otherwise perform domestic crimes. It's a zero-cost talent pipeline for state institutions that run offensive cyber operations. The state can even outsource its operations to high-level criminal groups, affording it a degree of plausible deniability.For these reasons and more, the Russian powers have always maintained a social contract with lowly hackers: As long as the hackers don't attack targets within Russia, they can do whatever they'd like with impunity. The police won't arrest them, and international police won't even get a sniff.In some cases the state doesn't just ignore hackers, it works with them. Leaked chats indicate that Conti members have enjoyed private flights with Vladimir Ivanovich Plotnikov, a member of the Russian Duma. One member is known to have supplied the Main Intelligence Directorate (GRU) with intelligence related to COVID-19. The group has also attacked known targets of the Russian state, whether by coincidence or coordination.Related:Streaming Fraud Campaigns Rely on AI Tools, BotsLeslie adds another example. "In the context of Ukraine, the GRU has various layers of institutionalized cybercrime involved. They inform its offensive operations, and have since 2022. Every layer of that institution relies on cybercrime in order to function properly."Breaking with the CovenantIt's difficult to imagine this dark covenant ever wavering, but developments over the past year indicate that it just might be.Most notably, in October 2024, Russian authorities raided and arrested nearly 100 people involved with Cryptex and the Universal Automated Payment Service (UAPS), money laundering services for the underground. They seized vehicles, property, and $16 million in Russian rubles.In an April 2025 case, authorities arrested executives of Aeza Group, a bulletproof hosting provider affiliated with many threat actors and illicit marketplaces. They've also tagged hackers associated with the Mamont banking Trojan, and an anti-corruption official who ironically took bribes from the Infraud Organization cybercrime network.Related:Microsoft Disrupts Ransomware Campaign Abusing Azure CertificatesEven leading members of household ransomware groups like Conti, Lockbit, and REvil have been arrested, though in those cases the flaccid penalties threat actors faced have indicated a lack of seriousness.This break with precedent is causing serious ripples in the underground. "We see on XSS on Dark Web forums, actors are starting to get scared. Actors are saying: 'I don't know if I feel comfortable being on a site like this and speaking Russian anymore.' 'I don't know if I feel comfortable associating with other actors like the initial access brokers (IABs), and the data leak brokers, and the infrastructure-as-a-service (IaaS) providers anymore, that I've been accustomed to working with."So why has this been happening?Operation Endgame: a Game ChangerIn May 2024, American and European authorities kicked off Operation Endgame, an unprecedented, large-scale effort to crack down on the people and infrastructure supporting worldwide ransomware operations. Russia's crackdown on cybercriminals began a couple of months thereafter.This may not have been a coincidence. Recorded Future argues that Operation Endgame raised the diplomatic cost of Russia's safe harbor policy, and, in a softer sense, extended Western authority while relatively diminishing Russia's.Taking action of its own, by this logic, might have served at least two functions for the Kremlin. Outwardly, if only ostensibly, it demonstrated some desire to curtail cybercrime. Inwardly, it reminded the criminals who's boss — "that we have authority over you, that we have power over you, that you will bend to our will. Specifically in terms of offensive operations abroad: you will fold under Russian intelligence services," Leslie says.Rather than burn its most useful assets in the underground, however, the Kremlin has pursued a dual-track approach. In essence: sacrificing some pawns to save its queens. Individuals involved in operations irrelevant to state intelligence — for example, money laundering — have faced apparently serious financial and legal penalties. Those of use to the government — leading botnet and ransomware developers from Conti, Trickbot, etc. — have always ultimately been spared by ersatz courtroom trials ending with no real consequences.The researchers concluded that "these actions appear designed less to dismantle cybercrime writ large than to manage reputational pressure from the West, protect politically connected threat actors, and signal that Russia, not external powers, controls the boundaries of enforcement."Russia Targets Russians for Targeting Russians"What we've noticed, at least since 2022, is an increase in attacks by Russia-based groups on Russian organizations. Ransomware attacks. Spreading malware. Hacktivist groups within Russia targeting Russian organizations," Leslie says. In this light, it was the cybercriminals who broke the covenant, and the government that responded. "In order for Russia to allow the free market to function, the free market has to have guardrails. And those guardrails, at least within the last two to three years by our measurements, have deteriorated."With low confidence, he says, "we speculate that cyber criminal groups are no longer as successful in attacks against Western organizations due to widespread threat intelligence sharing, widespread proliferation of more advanced cybersecurity practices, and cybersecurity regulation." Between improved law enforcement action and uneven but improving organizational cybersecurity across the Western world, Russian threat actors are reconsidering the much easier targets in their backyards.Leslie warns that "Russian cybercrime is still flourishing. The Dark Web is still flourishing. That's not going to change anytime soon. So I would not recommend any shift in defensive posture whatsoever. What I would recommend is watching very closely how disruptive action scatters the threat landscape, and how you need to adapt and diversify your hunting efforts in order to accommodate."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsHow Enterprises Are Harnessing Emerging Technologies in CybersecurityWorldwide Security Information and Event Management Forecast, 2025--2029: Continued Payment for One's SIEMsQualys Named a Market & Product Leader in CNAPPDimensional Research Report: AI agents: The new attack surfaceESG Research: Organizations seek modern, continuous and integrated pentestingAccess More ResearchWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsEffectively Incorporating API Security into the Overall Security WorkflowCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCyberattacks & Data BreachesCyberattackers Target LastPass, Top Password ManagersCyberattackers Target LastPass, Top Password ManagersbyNate Nelson, Contributing WriterOct 16, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTEffectively Incorporating API Security into the Overall Security WorkflowWed, Nov. 19, 2025 at 11am ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersModern DevSecOps: 6 Best Practices for AI-Accelerated SecurityThriving in the Age of AI: 6 Best Practices for Secure InnovationSecuring Unmanaged Devices: Extending Visibility, Trust, & Control Beyond Corporate PerimetersEliminating Identity-Based Attacks: A Device-Bound Approach to Making Account Takeovers ImpossibleFrom Breached to Bound: A CISO's Guide to Identity Defense in a Credential-Driven Threat WorldExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Russia is increasingly turning its focus inward, cracking down on a cybercriminal underground that was once a well‑tended state‑sponsored asset. Historically, the Russian government tolerated or even tacitly endorsed hacking activity as long as attackers stayed clear of Russian targets. This policy gave the state a lucrative, low‑cost talent pool for offensive cyber operations, while providing lucrative opportunities for criminals who would otherwise turn to domestic crime. The informal contract—no prosecution if attacks spared Russia—was supported by examples of state‑level cooperation with groups like Conti: leaked chats revealed members received private flights from a member of the Russian Duma, and other actors supplied intelligence to the GRU.

In a recent Recorded Future report, released together with an exclusive Dark Reading interview at the Predict conference in Manhattan, analysts argue that this symbiosis is beginning to deteriorate. The primary catalyst is a combination of intensified Western law‑enforcement targeting Russian cybercriminals and the general improvement in cybersecurity across the United States, Europe, and other Western regions. As a result, Russian police have begun revoking the safe harbor previously granted to low‑level criminals. One analyst summarizes the shift succinctly: “You once had that unwritten rule of: if I’m a cyber criminal, as long as I don’t target Russian organizations and individuals, I won’t be prosecuted. That has actually changed.”

Russia’s own motives for this shift appear multi‑faceted. On one hand, the Kremlin no longer wants to be a magnet for foreign law‑enforcement scrutiny, and on the other it faces reputational pressure from allies and competitors that increasingly share threat intelligence and enforce strict cybersecurity norms. The 2024 Operation Endgame—an unprecedented joint counter‑ransomware effort by U.S. and European authorities—raised the diplomatic cost of Russia’s “safe harbor” doctrine. In turn, Russian officials saw an opportunity to reassert control over the domestic threat landscape, signaling that they, not external powers, defined the boundaries of enforcement.

The crackdown itself has taken tangible form. In October 2024, Russian authorities raided and arrested almost 100 individuals linked to Cryptex and the Universal Automated Payment Service (UAPS), a money‑laundering front for cybercriminal infrastructure. Property, vehicles, and 16 million rubles were seized. In April 2025, executives of the Aeza Group—a hosting provider tied to multiple threat actors—were detained, alongside hackers associated with the Mamont banking Trojan, and a corruption‑implicated official who had accepted bribes from the Infraud Organization. Arrests have extended to high‑profile ransomware groups: leaders of Conti, Lockbit, and REvil faced charges, though the penalties proved relatively mild, reflecting that they still serve state interests or are politically connected.

These investigations have unnerved the underground community. Dark‑web forums report growing unease, with actors expressing uncertainty about speaking Russian publicly or collaborating with initially accepted partners in the same ecosystem. The dual‑track approach adopted by Russian authorities—severing the flow of money laundering services and lesser cybercrime operations while sparing key ransomware developers who remain useful to state objectives—demonstrates a strategic balancing act. The Kremlin appears more focused on managing reputational pressure and maintaining the flow of talent it can exploit than on dismantling cybercrime wholesale.

In addition to domestic crackdowns, Russia itself has seen an uptick in internal attacks. Russian‑based threat actors increasingly target Russian organizations with ransomware, malware, and hacktivist campaigns—an inversion of the previous pattern. Analysts attribute this shift to improved threat intelligence sharing and the spread of advanced cybersecurity practices and regulations in Western companies, which have made those more lucrative targets less accessible. As a result, criminal groups are re‑evaluating their prospects within Russia, perhaps explaining why the state is compelled to step in.

For cybersecurity practitioners, the lesson is clear. Russian cybercrime continues to thrive despite crackdowns, and the Dark Web remains vibrant. Defensive posture should not change dramatically; instead, organizations should maintain vigilance by closely monitoring how disruptive legal actions shift the threat landscape and by diversifying hunting strategies to adapt to evolving adversary behaviors. Analysts urge that anyone operating in an environment with potential Russian threats should remain observant of how law‑enforcement actions ripple across the underground, ensuring that threat‑intelligence capabilities evolve alongside these shifts.

According to Alex Leslie of Recorded Future, this development reflects Russia’s attempt to reassert authority over its cyber domain while balancing external diplomatic pressure. Meanwhile, Nate Nelson’s article underscores the broader implications of the Kremlin’s policy change for global cybersecurity. Together, they paint a picture of a nation recalibrating its cyber ecosystem: a fragile equilibrium between a lucrative, state‑backed hacking culture and an emerging desire to contain it amid an increasingly vigilant international cyber‑law environment.