RansomWar Part 4a: CyberCriminals as “Combat Resource” and Bargaining Chip
Russian ransomware actors are “hybrids”: criminals but also IT talent with a fearsome reputation. Why crack down when you can exploit them as a “combat resource” and bargaining chip?
Epigraphs:
The Russian government treats oligarchs, organized crime, and associated businesses as tools of the state, rather than independent, private entities. The Kremlin uses these entities to pursue Kremlin priorities, including money laundering, sanctions evasion, and influence operations. This is a fundamentally different model than in the United States. (Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, volume 5, 2020)
...information security specialists...can be compared with snipers. A person who knows how to shoot well is a real combat resource. A modern programmer, who knows how to breach any operating system from a distance, is also a combat resource.” (Natalya Kasperskaya, Co-founder of Kaspersky Lab, IT contractor and advisor to Russian government ministries, 2017)
The approach our special services use to interact with talented guys [like us] is like a chapter of the “operational work” book going back to the 1980s.” (Hacker Pavel Sitnikov, 2020)
Summary
This is part 4a of Natto Thoughts’ “Ransom-War” series.1 The series argues that Russian ransomware actors are not solely financially motivated; rather, whether they like it or not, they are immersed in the geopolitical context of Russia’s self-proclaimed confrontation with the “collective West,” and in at least some cases the targeting and timing of their attacks align with Russian strategic interests, suggesting some degree of state inspiration or even coordination.
In this post, Part 4a of the series, the Natto Team argues that Russian ransomware actors are “hybrid” in another way: both criminals and valuable IT talent. Sometimes-puzzling Russian law enforcement patterns resemble less a desire to crack down on crime than to monopolize and exploit hackers as a “combat resource” and a bargaining chip.
Sporadic Russian crackdowns on ransomware actors likely have a variety of motives, but meaningful cooperation with the West against destructive cybercrime is likely not one of them
Rather, Russian law enforcement treatment of cybercriminals is consistent with a tradition of co-opting common criminals to do their public or private dirty work
Russian cybercriminals are criminals but also strategic national resources with valuable IT talent and a fearsome reputation. Russian intelligence services have used carrots – such as protecting them from extradition to the West – and sticks, such as “prophylactic chats” and the threat of arrest, to harness them and prevent them from aiding Russia’s adversaries.
This is the context that helps explain the otherwise inscrutable patterns of crackdowns in 2021-2024, as we explore in more detail in a subsequent posting.
Puzzling Crackdown
January 14 2022 was a big day in Russia and Ukraine.
Russian troops were massing on the Ukrainian borders of Ukraine, giving rise to anxious speculation about whether and when Russia would invade. Frantic Russian/Western negotiations had gone nowhere, with Russia insisting that it would deescalate only if the North Atlantic Treaty Organization (NATO) promised never to admit Ukraine into the alliance. Ukrainian and US officials warned that Russia was preparing provocative “false-flag” attacks that they could blame on Ukraine as an excuse to invade.
That same day, employees of at least a dozen Ukrainian government agencies found the data on their computers had been destroyed. Some saw a fake ransom note; some saw a menacing message in Ukrainian, Russian, and Polish, that read, “Ukrainians! All information about you has become public, be afraid and expect the worst.” The next day Microsoft reported finding on these machines a sophisticated wiper malware “which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive” The US and other countries in the Five Eyes intelligence-sharing group would attribute the attack, dubbed “Whispergate,” to Russia’s military intelligence (GRU) officers. (The Natto Team has discussed Whispergate here and here).
Also on January 14 2022, video footage appeared online showing officers in bullet-proof vests breaking down doors, handcuffing half-dressed young men, examining computer terminals, and counting piles of cash. Russia’s Federal Security Service (FSB) announced it had searched 25 locations associated with 14 people suspected of participation in the REvil ransomware group. Eight of those were arraigned for prosecution. The FSB said it was acting on information that US law enforcement had provided. A top White House official told reporters “We understand that one of the individuals who was arrested today was responsible for the attack against Colonial Pipeline last spring.”
Why the Arrests?
As we have seen, the REvil arrests threw Russian cybercriminals into a tizzy: after years of impunity for cybercrime against foreigners, was Russian law enforcement now going to cooperate with US law enforcement in a real crackdown on Russian ransomware actors? Various experts have suggested various answers.
An Image Thing: Will Thomas of data center and internet exchange company Equinix pointed out the coincidence of the January 14 events as part of his overview of Russian hacker/state relations at the May 24 2024 Sleuthcon cybercrime conference. Thomas noted that whenever Russia does arrest a ransomware actor, “It’s never straightforward; there’s always some sort of signaling going on.” Howard suggested a variety of possible explanations for the coincidence of the Whispergate attack with the announcement of the REvil arrests: “It’s plausible deniability, it’s distracting, and only targeting certain audiences...It’s all an image thing with them.” Perhaps these and other sporadic hacker arrests are intended to give the appearance of a crackdown on corruption, or they may represent a power struggle among powerful politicians, he suggested.
Power Struggle Among Russian Special Services: Émigré Russian security analyst Andrei Soldatov appeared to attribute the arrests to a power struggle among Russian special services: “What we’re seeing is less an effort to sow goodwill in the West than an attempt by the FSB to affirm its rising status as the major bureaucratic force behind Russian foreign policy — to the detriment of the country’s Ministry of Foreign Affairs.”
Ransomware Diplomacy : “This is Russian ransomware diplomacy,” cybersecurity expert Dmitry Alperovitch of the Silverado Policy Accelerator said on Twitter at the time. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.” This interpretation makes sense in the context of the time, when Russian diplomats were offering various deals to the West to stay out of Russia’s planned invasion of Ukraine. In a sense, Russian officials were holding the threat of Russian hackers over the US and warning they would work to remove that threat only if the US satisfied Russian demands. We discuss this aspect further below and in a subsequent posting.
Seizing Valuable Tools from Criminals: "The raid may have sought to seize access to high-value systems developed by ransomware actors for use by Russian intelligence services; or to send a reminder to ransomware groups in Russia that their best bet is to place their loyalties with the Russian state,” as researchers at the Federal Institute of Technology in Zurich phrased it.
Keeping Valuable Skills in Russian Hands: Ukrainian cybersecurity official Natalia Tkachuk said in April 2022 that the Russian government had likely known the criminals’ whereabouts for a long time: “It is obvious that in [President Vladimir] Putin’s totalitarian Russia, where everyone, including organized crime, is controlled by the intelligence agencies, independent (uncontrollable) hackers and marketplaces wouldn’t be able to hide for a long time without cooperation with them.” She assessed that the REvil arrest was likely “part of a special operation aimed either at hiding criminals from American and European law enforcement, or at directing them to ‘work for the government’.”
All of these factors were likely at work in Russia’s complex reality. Russia’s legal system is characterized not by rule of law but by “telephone justice,” where judges often make decisions based on telephone calls from powerful people. Law enforcement actions often serve to silence critics of the government or are part of power struggles among competing “clans” of officials and powerful individuals, even among security services themselves.
The January 14 arrests sent different messages to different audiences. To Ukraine’s Western backers, they bolstered the message Russia was sending with its military buildup and coercive diplomacy of the time, as if promising to crack down on ransomware targeting Western countries only if they would stop supporting Ukraine. To domestic Russian hackers, it was a threat of imprisonment if they did not cooperate with their security services.
In the present posting and the one that follows, the Natto Team provides context based on many years of observing not just Russian hackers but also common criminals and law enforcement. We argue that Putin’s leadership benefits from Russian ransomware actors and other cybercriminals, and that Russia may have put on a show of cooperation with the West against cybercrime but never genuinely intended to cooperate. Instead, the pattern of Russian government actions suggests an intent to monopolize and manage hacker talent for Russia, as Ukraine’s Tkachuk said about the January 2022 arrests. This draws on Russian traditions of harnessing common criminals for state needs.
Russia’s Hybrid Hackers: Criminals but also IT talent
We have already introduced the idea that some Russian ransomware operations appear to have hybrid motives – both financial and political – and that ransomware operations can serve as weapons in Russia’s hybrid warfare. Russian hackers are also a hybrid in another sense: they are criminals, but at the same time possess IT talents valuable to the Russian motherland.
Natalya Kasperskaya, co-founder of Kaspersky Lab, is a Kremlin-friendly IT entrepreneur and advisor to Russian government ministries. Speaking in August 2017 at the Army-2017 International Military-Technical Forum near Moscow, she said:
...information security specialists...can be compared with snipers. A person who knows how to shoot well is a real combat resource. A modern programmer, who knows how to breach any operating system from a distance, is also a combat resource.
Kasperskaya worried that Russian IT specialists were vulnerable to recruitment by foreign special services — either if they voluntarily moved abroad for work, or if they traveled abroad, were arrested and cooperated with foreign law enforcement. Kasperskaya gave the example of Aleksandr Vinnik, operator of the BTC-e cryptocurrency exchange, whom Greek authorities arrested on July 27 2017, at the US’s request, for alleged money laundering. Kasperskaya speculated that Western prosecutors dangle the threat of long sentences to lure people like Vinnik into cooperating with them. She proposed that the Russian government create a registry of IT specialists, implying that the government could call on them for services to pay their motherland back for educating them. Kasperskaya’s proposal implied that the Russian government should take steps, even limiting hackers’ mobility, to retain their talent. By citing the case of Vinnik, she was saying that the pool of IT talent included suspected cybercriminals.
The Natto Team and other researchers have discussed various benefits that collaboration with cybercriminals and other nonstate cyber actors brings to the Russian government. Benefits include the ability to:
Wage “hybrid” warfare deniably below the level of armed conflict, by dividing adversary societies and undermining their economies;
tap skilled personnel who can finance and bear the risks of their own operations;
bring in money for the state through bribes and luxury spending;
use stolen data for state espionage – as the Conti actors appear to have provided to the SVR’s CozyBear (APT29) group and the REVil group threatened to do with data from US nuclear contractor Sol Oriens; and
destroy data, degrade performance, and disrupt services, allowing threat actors to cover up evidence of espionage, fraud or other crimes.
Hacker Prowess Gives Russia “Great-Power” and Gangster-Boss Status:
Russia’s fearsome hacker prowess also serves to deter adversaries, just as their nuclear weapons do. Indeed, like nuclear weapons, the threat of Russian hackers serves to help restore Russia’s sense of being a superpower. As the Natto Team pointed out in the posting “Putin: The Spy as Hero,” , Putin appears to believe he has a mission to strengthen the Russian state and undo the humiliation Russia suffered with the breakup of the Soviet Union. Putin seeks to force the international community to accept Russia as a great power, with a role in deciding global issues and a recognized sphere of influence in its neighborhood, as the Western allies granted to Stalin at the Yalta Conference toward the end of the Second World War. (Added July 29 2024: On the Soviet roots of the Russian leadership’s sense of injured pride and desire for global recognition, see Sergey Radchenko’s new book To Run the World).
Russian cyber diplomat Andrey Krutskikh, speaking at a Russian cyber conference in early 2016, compared the cyber arms race with the Cold War-era nuclear arms race and “hinted that Russia now has a weapon that will force America to talk with us as equals (намекал на то что у России появилось оружие, которое заставит Америку вести разговор на равных),” according to people present. Commentators have assessed that Krutskikh was referring to Russia’s plan to use hacking and social media to interfere in the 2016 US presidential election.
Another example of Russia-origin cyber activity bolstering Russia’s image as a superpower was the devastating Russia-based ransomware attack on the US company Colonial Pipeline in May 2021. Following the attack, the agenda of a June 2021 summit meeting between Putin and US President Joe Biden focused not only on issues of strategic stability, such as nuclear weapons, but also on reining in ransomware actors.
Top Russian Security Council official Oleg Khramov said a key theme of that summit was “ensuring information security and attaining agreement between two great powers on this currently important topic on the global agenda.” The New York Times used similar terms in a headline that marveled, “Once, Superpower Summits Were About Nukes. Now, It’s Cyberweapons.”
Later, in an April 7 2022 interview, Khramov stressed the vulnerability of supposedly superior American computer systems, appearing to dangle the threat of Russian hackers if the US continued to block Russian proposals for a UN information security agreement. (More detail on this “ransomware diplomacy” over the UN agreement will appear in a subsequent Natto Thoughts posting). Khramov said,
...the many years of relying on [its] domination in the Internet have led the US to a situation where, as experts say, any schoolchild is able to damage America’s ‘smart’ homes...It is nothing but payback (расплата) for the high-handedness and arrogance (самонадеянность) and rejection of the proposals by Russia, China and other clearly thinking sovereign states to accept binding international legal documents.”
Because of their fearsome reputation, then, the Russian state can use the threat of Russian hackers as a bargaining chip. Even without directing or explicitly encouraging particular ransomware campaigns, the Russian government can hold out the prospect of either cracking down or not cracking down on the hackers.2 “Like classic gangster protection racket schemes, the Kremlin can disavow the actions of its guns-for-hire with a wink, while darkly hinting that more things could “break” unless its adversaries pay up and behave,” as the Center for Naval Analyses phrased it in 2017.
In Ransom-War part 4b we see how Russia used hackers as a bargaining chip during the years 2021-2022, as Russia and the US supposedly cooperated against ransomware after the May 2021 Colonial Pipeline hack and as Russia prepared and carried out its full-scale war on Ukraine.
The present posting looks at how Russian government officials have offered both carrots and sticks to elicit hackers’ cooperation, alternately treating them as valued IT experts and as common criminals. We note that Russian officials do not represent a monolith. Officials in various agencies and at various levels often work at cross-purposes and do corrupt deals with criminals for their own enrichment. However, they are all operating within a system and political culture characterized by established patterns of informal personalized power networks that corruption researcher Alena Ledeneva has simply called “sistema” (the system).
Protecting a Valuable Resource:
Russian government officials have offered both carrots and sticks to elicit hackers’ cooperation, alternately treating them as valued IT experts and as common criminals. Sometimes they are treated as talent with positive inducements.
“Carrots” include:
Protection from prosecution within Russia and help to prevent criminals who are caught abroad from being extradited for prosecution in the United States (discussed below).
The prospect of lucrative government contracts. Evil Corp leader Maksim Yakubets’s company had FSB contracts and certification to work with government secrets, according to the US Treasury Department.
Rewards and recognition. Another Evil Corp member, Igor Turashev, was a winner in a 2023 hackathon associated with the mercenary and information warrior Yevgeniy Prigozhin’s Wagner Group. The Wagner group, a Kremlin proxy, was rewarding Turashev even after the US had accused him of criminal activities exploiting victims abroad.
Exemption for IT specialists from the partial military mobilization of September 2022.
Tipoffs as to ongoing law enforcement investigation. As one example, in May 2009 FBI agents told the FSB they had identified Roman Seleznev, the son of a Russian parliamentarian, as a criminal hacker. A month later, he announced he was leaving the business. The FSB had tipped him off. Seleznev told a colleague in 2008 that he had "obtained protection through the law-enforcement contacts in the computer-crimes squad of the FSB," as US prosecutors wrote in court documents.
Opportunities to earn money even while in prison. Russian prison officials have reportedly considered hiring out imprisoned IT specialists to Russian IT companies for remote work.3
Extradition battles : “Saving Private Zubakha”
Another benefit that some hackers receive from the Russian government is help in resisting extradition to the United States if they are arrested in a third country. Natalya Kasperskaya, the IT entrepreneur whom we saw describing IT specialists as a “combat resource” for Russia, highlighted the example of Aleksandr Vinnik, the cryptocurrency exchange operator arrested in Greece. After his arrest, the Russian government promptly announced its own charges against Vinnik and demanded that the Greek government turn Vinnik over for prosecution in Russia instead of the US.4
Kasperskaya’s husband Igor Ashmanov defended Vinnik as well. Ashmanov is another influential IT entrepreneur, government contractor and member of various government advisory bodies. The European Union sanctioned him for supporting Russian aggression in Ukraine. A Russian true-crime website also notes that one of Ashmanov’s companies shares an address with one of Vinnik’s, suggesting possible business ties. In an April 2018 Op-Ed for Russian state media RIANovosti, Ashmanov hailed Vinnik as “a carrier of completely unique theoretical and practical knowledge in the most advanced areas of information technology,” referring to financial technologies such as cryptocurrency. He encouraged Russian government efforts to help people like Vinnik avoid extradition, “especially when there is an attempt by a ‘potential adversary’ to seize strategic intellectual resources.” Ashmanov described US extraditions of cybercriminal suspects as an “especially effective” method of “US headhunting, that is, methods to cheaply take our mathematical and programming geniuses and specialists.” He outlined what he said was the US method of inducing Russian hackers to cooperate with the US government — including threats of a 30-40 year US prison sentence, after which “you will come out an old man, if your tan and lonely cellmates don’t torture you to death with their progressive love,” insinuating that they would be raped by people of color in US prisons.
Ashmanov cites two incidents when the Russian state successfully stepped in to prevent extraditions to the US. One was the case of Dmitriy Zubakha, an employee of Ashmanov’s whom authorities in Cyprus arrested in 2012 at the US’s request. In a 2013 blog posting, Ashmanov detailed his own role in that nine-month legal and diplomatic battle, which he said cost hundreds of thousands of Euros. Ashmanov said he pulled together a multinational legal team that, together with Russian diplomats, police, and even Russia’s Presidential Administration, persistently appealed to Cyprus legal authorities that Zubakha be extradited to Russia rather than the US. Zubakha’s case even appeared on the list of demands during negotiations for a $5 billion Russian loan to Cyprus during a financial crisis there. In addition, Ashmanov’s fellow nationalist activist Nikolay Starikov arranged pro-Zubakha protests and flashmobs outside embassies.
The campaign succeeded; Zubakha was returned to Russia in 2013, pled guilty to the Russian charges, and in 2014 was set free with a suspended sentence. Ashmanov entitled his 2013 blog post about the incident “Saving Private Zubakha.” This title, a reference to the US film “Saving Private Ryan,” underscores Ashmanov’s point that Russian IT specialists are like precious soldiers on the field of battle.
Ashmanov’s efforts to “Save Private Vinnik” failed, however: Vinnik was extradited and tried in the US and pled guilty in May 2024.
Russia’s government has a history of battling Western law enforcement over extraditions of other Russian criminal suspects as well, if those criminals have sensitive knowledge. In some cases, when Russia wins an extradition battle and the suspect arrives back in Russia, he is quickly released rather than imprisoned, showing the Russian government’s lack of desire for real cooperation against crime. For example, in 2005, former Russian atomic energy minister Yevgeny Adamov was arrested in Switzerland, on a US request, on charges of embezzling some $9 million in US grant money. Russia countered with its own extradition request, telling the Swiss that US law enforcement would torture Adamov to extract nuclear secrets. The Swiss decided to return Adamov to Russia. There he was briefly imprisoned before being allowed out on bail pending his trial; he soon received a suspended sentence (https://www.kommersant[.]ru/doc/883807).
These extradition battles show the Russian government trying to keep Western governments from being able to use the knowledge or skills of criminal suspects against Russia.
Not Just Carrots But Also Sticks: Taking a chapter from the old “operational work” book
Russian officials do not always give hackers the white-glove treatment, however. Hacker Pavel Sitnikov, a colorful figure who has sometimes boasted of connections with the Russian government, characterized Russian hackers as “talented guys” and complained that they were treated too much like criminals and not enough like professionals. Though we need to take his words with a grain of salt, Sitnikov vividly summed up what we have seen of the tension between wooing hackers as IT talent and roughing them up like criminals. In a December 28 2020 interview with US-based cybersecurity news source The Record, Sitnikov said Russian officials “don’t really know how to interact with this social group. The approach our special services use to interact with talented guys is like a chapter of the “operational work” book going back to the 1980s.”
“House-Training” Russian Organized Crime
The Soviet-era legacy of police “operational work” with common criminals has been well-documented by experts on Soviet and Russian organized crime and prison culture such as UK-based analyst Mark Galeotti. The treatment of Russian cybercriminals today does indeed bear some resemblance to the treatment of common criminals.
Galeotti dismisses simplistic views of the Russian state as either conscientiously trying to stamp out crime or, conversely, having completely fused with crime. Rather, Galeotti says, Putin developed an unspoken social contract with organized crime groups in the 2000s: as long as they did not challenge or embarrass the state, then the state would not prioritize fighting their crime. Or as Galeotti phrased it in the 2024 podcast “Gangster Geopolitics,” “What Putin did was essentially house-train organized crime.”
Furthermore, the Russian special services often use criminals to carry out foreign operations. In a 2023 article entitled “We Have Conversations: The Gangster as Actor and Agent in Russian Foreign Policy,” Galeotti fleshes out how Russian special services coopt criminals to pursue foreign-policy goals. Galeotti describes the crime/state relationship as “essentially antagonistic, transactional and asymmetrical.” These state/organized crime relations “are essentially pragmatic (rather than ideological), individual (rather than routine) and initiated by the government.”5
Many aspects of the crime/state relationship that Galeotti describes match what we have seen in the case of cybercriminals. Natto Team comments are in italics.
The state “permits and uses an informal market for illicit services” that criminals can provide. Russian state hackers borrow criminal malware and infrastructure, as summarized in Part 1 of this Ransom-War series, as well as in Will Thomas’ Sleuthcon talk.
Relationships between criminals and officials generally take place at a local level, not a national one, “kept at arm’s length through local connections and subcontractor chains.” We have seen in “Ransom-War” Part 2a that Conti actors apparently receive assignments from the Saint Petersburg office of the FSB rather than the central one in Moscow.
Police often pull criminals into a police station and give them warnings about “the bounds of acceptable practice,” such as making sure they did not stage bloody shootouts that would besmirch Russia’s reputation during the 2014 Sochi Olympics or the 2018 World Cup games in Russia. These conversations resemble Soviet-era “prophylactic chats” (профилактические беседы) where police issued warnings to political dissidents. As Galeotti says elsewhere, these chats were “meant to intimidate without the need for prosecution.” The Natto Team hypothesizes that Russian law enforcement may have had similar conversations with cybercriminals, as well as ordinary thugs, before the 2018 World Cup, which may account for relative lack of high-profile cybercrime events during the games. Incidents have occurred when a criminal has been brought in to a police station but then freed; these raise the question of whether the authorities have recruited the criminal to help them.
“From time to time, when individual gangsters became a bit too cocky, or because the state felt it needed to make a lesson, there will be some kind of high-profile operation.” The January 2022 REvil arrests appear to exemplify this, as we discuss further in a subsequent posting.
Networks of Russia-based criminals “are vulnerable to pressure, or simply....proactively seek to please the regime to avoid pressure or acquire political capital.... As a Western counter-intelligence officer put it to me....‘so long as [the criminals’] balls were in Moscow, the Russians could always squeeze’.” In “Ransom-War” Part 2b we saw that cybercriminals felt vulnerable to pressure to do favors for the government.
“Those ‘conversations’....between the representatives of upperworld power and their underworld counterparts, are distinctly asymmetric. The former do not care about or trust the latter; the latter will do the minimum necessary to placate the former, while seeing how they can turn the situation to their advantage.” This too aligns with what we have seen in “Ransom-War” Part 2b.
But Cybercriminals are Not Disposable Assets:
One aspect in Galeotti’s description of the treatment of common criminals does not match what we have seen in the case of cybercriminals. Galeotti said, citing a German official, “Moscow uses the criminals, but as disposable assets’.” Galeotti adds, “ the Kremlin only very rarely seems to be at all interested in seeking to protect gangsters and their interests.... in the few specific cases where it actively spends diplomatic capital to defend criminals, it is more likely to be shielding intelligence assets or missions” such as arms dealer Viktor Bout. In contrast, in the case of cybercriminals Russian officials have indeed gone to bat to prevent their extradition for prosecution abroad; this shows how much the state values their skills.
“A Knock on Your Ass”
Despite their elite skills, Russian cybercriminals have tales of being treated like common criminals. Even though Russian special services do not normally prosecute cybercriminals for attacks on foreign targets, they can find or create a pretext to apply pressure. Stories abound of police planting evidence or beating suspects to elicit confessions, and almost anyone can be found to have committed some kind of infraction.
Threats of Violence:
We have already seen in “Ransom-War” Part 2b, Russian cybercriminal forum participants speculating on the seriousness of the apparent crackdown of 2021 and on what they might experience in a Russian or US prison. Even before that, participants in online Russian cybercrime forums expressed fear of the police, as US-based cybersecurity company Reliaquest chronicled in March 2021. The forum participants were sure that police would catch them sooner or later. Some feared that Russian police would “stop at nothing” to elicit passwords and other information from suspects. Some shared “graphic anecdotes about police torture” – one predicted that they would “‘treat’ you with a stun gun” -- and feared that cybercriminals could not stand up to torture. Other users disagreed, expressing the hope that police would merely issue empty threats of violence or might even overlook seemingly victimless cybercrimes.
One hacker told Buzzfeed news in 2017, based on personal experience, “This is the way it goes: They trap one hacker and then they get him to trap his friends.” The hacker, who recently served time in a Russian prison and had fled the country once he was released, said the “pressure was intense” to do work on behalf of Russian intelligence officers. “They press on you. It’s not, like, a nice request. It’s a knock on your door and maybe a knock on your ass. If they can’t threaten you they threaten your family.”
Threats of psychiatric imprisonment:
One imprisoned hacker claimed that law enforcement officers dangled over him the threat of psychiatric imprisonment. Konstantin Kozlovskiy, a member of the Lurk cybercrime group, has been in a Russian prison for nearly a decade. As mentioned in “Ransom-War” Part 2a , each time he comes up for hearings on his sentence, he keeps embellishing his story, accusing more people of treason. This suggests he is amenable to saying whatever it takes to get himself out. Kozlovsky claimed that in 2016 an investigator threatened to send him for evaluation at the Serbsky Institute, an infamous psychological entity that in Soviet days would send dissidents for involuntary treatment that included injections with painful drugs. Even after Kozlovsky gave the investigator some names of supposed accomplices, he said they still sent him to the Serbsky Institute for testing.6
Multiple Police Encounters:
IT entrepreneur Pavel Vrublevskiy, the owner of Russian payments firm ChronoPay, has faced multiple arrests and been released to do favors for the government. According to cybersecurity researcher Brian Krebs, In 2011 Vrublevsky was arrested for allegedly hiring hackers to attack a competitor, was held in prison for six months, but then was released after confessing – a confession he later recanted. In 2013, he was re-arrested after admitting to attempting to bribe or intimidate witnesses in his ongoing trial. He was released again, less than halfway through his sentence, reportedly to help Russia develop a sanctions-busting credit card payment scheme. Vrublevsky’s case is complicated by issues of corruption, political influence, and clan battles within the FSB itself, as cybersecurity researcher Kimberly Zenz has chronicled. In March 2022, Vrublevskiy again faced arrest, ostensibly for fraud
Pavel Sitnikov, the one who spoke about the “operational work” book, experienced multiple encounters with police in 2021, possibly as a form of pressure to cooperate. In May, Russian police arrested Pavel Sitnikov, ostensibly for spreading the Anubis malware. While Sitnikov awaited trial on these charges, he says he was again called in for questioning about cybersecurity entrepreneur Ilya Sachkov, who was arrested September 28 on ostensible charges of treason. Sitnikov, who had no love for Sachkov, implied that he had given testimony under duress, claiming in a 2022 interview that “they put a piece of paper in front of me and I signed.”
Sitnikov has claimed that after his initial arrest, his lawyer urged him to get a regular job in order to look more respectable, as he was then not formally employed. He said that was why he signed on as an employee of ZeroDay Technologies, a firm known to have developed malware for the Russian government. He said in a 2022 interview that his employment at 0day was brief and purely formal and that he had nothing to do with developing the malware. If true, his story is an example of a cybercriminal who agrees to work for a government-sponsored entity as a way to lessen his risk of punishment.
Threat of Foreign Prosecution
Russian special services protect cybercriminals from foreign attempts at prosecution, but they also take advantage of information that Western law enforcement provides and use it to identify and harness IT talent. As former FBI Cyber Division Chief Technology Officer Milan Patel said in 2017, “We would tip them off about a person we were looking for, and they would mysteriously disappear, only to appear later on working for the Russian government… We basically helped the FSB identify talent and recruit by telling them who we were after…”. As The New York Times phrased it in 2017, “The joke among Justice Department officials was the Russians were more likely to pin a medal on a suspected criminal hacker than help the F.B.I. nab him” – or that they would track the suspect down and demand logistical or technical help for government cyber operations.
The FSB’s Center for Information Security (TsIB, a.k.a. Center 18) was responsible for sharing intelligence on cybercriminals with foreign countries. But at the same time, it coopted hackers such as Aleksey Belan – one of the FBI’s top most wanted cybercriminals – to help snoop on the FSB’s domestic political targets while allowing him to continue continue targeting innocent people worldwide, according to a 2017 US indictment. Indeed, Belan only began working with Russian intelligence after the U.S. asked Russia for help in arresting him for cyber crimes such as identity theft, according to the 2017 indictment.
Mitigating the Risk of Prosecution: A Roof Over Your Head
For any business or group in Russia, where the rule of law and property rights are weak, having a powerful protector (крыша, pronounced krysha, literally “roof”) is essential to avoid being undermined by powerful rivals, extorted by criminals, or arrested on trumped-up charges. Cybercriminals often have business or family ties with influential people who provide protection. It is not always clear who initiates these protective relationships – whether the criminals sought them out or whether the powerful patrons took on the criminals as proteges.
Examples of people in the cybercriminal ecosystem with high-level business or family ties include the following:
As mentioned above, a Russian true-crime website says Igor Ashmanov may have business ties with Aleksandr Vinnik, the cryptocurrency entrepreneur he tried to save from extradition to the US.
The cybercrime forum participants described by Reliaquest in March 2021 shared stories of paying people off to avoid prosecution and stressed the importance of having a good lawyer. Even better, “As one user put it, ‘a good lawyer knows the law, a better one knows the judge’.”
Maksim Yakubets of Evil Corp is married to the daughter of a retired high-level FSB officer who headed an FSB veterans’ mutual-aid organization, as independent Russian researchers discovered. Update October 3 2024: Yakubets also covered up his crimes via employment at a business co-founded by the son of Yuriy Chayka, according to an October 1 2024 US Treasury Department sanctions document. Yuriy Chayka served for decades as former Prosecutor General and Justice Minister of Russia and now serves in Russia’s security council. More analysis on Evil Corp appears in the September 11 2024 Natto Thoughts posting Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear
Cryptocurrency exchange Garantex, which is under Western sanctions after helping Conti and other criminal groups launder ill-gotten gains, has “multiple connections” to a firm that simultaneously has ties to the Kremlin-controlled oil company Rosneft and also to a convicted gang leader, according to investigative journalists. “The revelation that a Garantex affiliate has Russian government and criminal ties raises the concern that the Kremlin is tolerating the still-thriving exchange or even using it for its own ends,” analysts told the journalists.
Ekaterina Zhdanova, whom the US sanctioned for laundering money for entities including the Ryuk ransomware group, also ran a business together with the wife of Sergey Shoigu, Russia’s longtime Defense Minister, who was once thought to be a possible successor to Putin and now serves as Secretary of the Security Council.
Dmitry Zubakha, the “Private Ryan” whom Igor Ashmanov saved from extradition in 2013, reportedly went into business in 2021 with the son of the Russian Minister of Industry.
Hackers’ bribing of Russian law enforcement officers is not new, but when such a relationship goes sour, it makes the news. In September 2023 hackers reported on an FSB officer in Omsk whom they had bribed to quash their case but who had failed to do so. The hacker suspects had been arrested in early 2022 with help from information from the US FBI. In April 2024 the (now former) FSB officer received a 9-year sentence, while the hackers received light sentences or time served.
Ransom-War Part 4b takes a closer look at this FSB officer’s case and other events in the era of supposed Russian/US cooperation against cybercrime in 2021-2022, which exemplify the use of Russian cybercriminals as “combat resources” and bargaining chips.
Update August 1 2024: Russian hacker Roman Seleznev and hack-and-trade scheme participant Vladislav Klyushin were among eight Russians released as part of a giant, multi-country prisoner exchange with Russia, the fruit of over a year’s worth of negotiations. Aleksandr Vinnik and Vladimir Dunaev, two hackers in US prisons, do not appear to have been exchanged, even though their names reportedly disappeared from a database of the US Bureau of Prisons.
Appendix: Russian Criminal Code Articles Used Against Hackers
Russia did not sign the Budapest Convention on Cybercrime of 2001, reportedly because it viewed Article 32—“Trans-border access to stored computer data with consent or where publicly available”—as a violation of Russian sovereignty.
English translations of the Russian Criminal Code are available here (pre-2012) and here (post-2012 additions) The punishments for cybercrimes in the Criminal Code are relatively light, and scholars have identified thorny issues in the interpretation of the Criminal code.
Chapter 28. Crimes in the Sphere of Computer Information
Article 272. Illegal access to computer information,
Article 273. The creation, use and dissemination of harmful computer programs
Article 274 Violating the Rules for Operation of the Facilities for Computer Information Storage, Processing and Transmittance and of Information-Telecommunication Networks
Article 274.1, added to the Criminal Code on July 26, 2017, added strong penalties for crimes affecting Russian critical infrastructure
Other relevant articles:
Article 138.1: “Illegal Turnover of Special Hardware Intended for Private Obtainment of Information” was added to Article 138 (“Violation of the Secrecy of Correspondence, Telephone Conversations, Postal, Telegraphic and Other Messages”) in 2011
Article 159.6, “theft of another's property or the acquisition of the right to another's property by entering, deleting, blocking, modifying computer information or otherwise interfering in the operation of means of storing, processing or transmitting computer information or information and telecommunication networks,” was added to Article 159 (“Swindling”)
Article 163: Extortion
Article 187: The Making or Sale of Counterfeit Credit or Debit Cards, and Other Payment Documents is the charge in several cases against hackers, including most of the REvil suspects arrested in January 2022.
Article 210: Creation of a Criminal Community (Criminal Organisation) and Participation Therein
Part 1 introduces the concept of hybrid ransomware: how ransomware attacks serve both financial and political motives and may play a role in Russia's ongoing "hybrid warfare" against the West. In part 2a we look at how Russian cybercriminals are willing to act as warriors for the Russian state against its enemies, particularly the United States. Part 2b shows that Russian cybercriminals are still vulnerable to prosecution and face tension between profit-making and their duty to the Russian motherland. Part 3 argues that, since at least 2016, Russian strategists have explored the use of ransomware to pressure adversary countries. Part 4a makes the case that Russian ransomware actors are “hybrid” in another way: criminals but also valuable IT talent with a fearsome reputation, to be coopted with carrots and sticks comparable to the treatment of common criminals. Part 4b argues that sometimes-puzzling Russian law enforcement patterns in recent years resemble less a desire to crack down on cybercriminals than an effort to use the threat of ransomware as a bargaining chip in pursuit of Russian strategic goals. “Ransom-War in Real Time, Case Study 1” focuses on the Conti/Trickbot and Evil Corp ransomware groups — both of which are known to cooperate with intelligence services — focusing on their real-time mechanisms of interaction with state officials. “Ransom-War in Real Time, Case Study 2” examines two disruptive ransomware events from 2019 that show signs of possible state involvement in targeting and timing. “Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty,” draws on recent Western government revelations about EvilCorp to explore how Russian ransomware actors and the Russian government use each other against the background of Russia’s low-trust, zero-sum political context. “Ransom-War in Real Time, Final Case Study: Tumultuous 2021” puts major ransomware operations of 2021 in the context of this political culture and international tensions of that year.
Russian law enforcement likely could find at least some of those hackers if they wanted to. As one participant in a Russian cybercrime forum discussion sighed, no matter how careful a cybercriminal is, he is likely to get caught. Russian law enforcement likely knows the whereabouts of most hackers, given their attempts to track military-age men. In addition, if they know the real identity of one member of a group, they can induce that person to give up the identities of other members.
The use of imprisoned specialists would be reminiscent of the Soviet sharashka шарашка – an arrangement where highly qualified specialists, often those arrested on political charges, would receive easier treatment in return for putting their expertise to use for the state.
The OCCRP article provides abundant detail on Vinnik’s case, but one aspect deserves skepticism. The author cites IT entrepreneur and convicted criminal Pavel Vrublevsky as a source and takes at face value Vrublevskiy’s claim that imprisoned former FSB official Sergey Mikhaylov was a “double agent for US intelligence.” On the complexities of the Mikhaylov case, see here
While some of his articles use the blanket term “the state,” elsewhere Galeotti has fleshed out his much more nuanced picture of Putin’s government as an “ad-hocracy” of “competing, semi-autonomous actors expected to …generate their own plans to work toward the state’s broad objectives.” “entrepreneurs.” For more, see here.
Kozlovsky’s “final word” at a hearing in late 2021 combines these claims with effusive praise for an unnamed oligarch whose description resembles that of IT entrepreneur and ex-convict Pavel Vrublevskiy, the owner of Russian payments firm ChronoPay. In turn, Vrublevsky had said in a 2020 interview that Kozlovsky had been an informant for the Russian government, “But they do not believe him.…Morally, he really should have been supported.....” Kozlovsky’s 2021 “final word” was posted 2 February 2022 by Baza, a muckraking periodical thought to be associated with some faction in Russian law enforcement, suggesting layers of complexity in this case.