Factors Affecting Russia’s Recent Arrest & Prosecution of Cyber Criminals.
13 December 2024 TLP: CLEAR
This thematic paper was produced by Elemender's CTI team to inform the reader of how cybersecurity and geopolitical events will shape the threat landscape in 2025 and beyond.
For further information or a demonstration of our products please visit our website: elemendar.ai
Previous Threat Intelligence Updates can be found HERE.
A glossary for terms used in our reporting is available HERE.
Executive Summary
Overview of Russia’s Relationship with Cyber Criminals
Executive Summary
Russia’s recent arrests of cyber criminals are likely pragmatic decisions by the Russian state to forward its geopolitical aims as peace talks in Ukraine look increasingly more likely.
The arrests have focused on groups and individuals sanctioned by the US. With the election of Donald Trump, negotiations for peace in Ukraine are likely and cyber criminals are a valuable asset to be traded in exchange for leverage and to show a willingness to cooperate with the US.
Russia has traditionally fostered an environment that supports cyber crime so long as it supports Russia’s political aims and attacks are not conducted against Russian institutions. In addition, many of these groups act as proxy forces for Russia and often receive covert support from Russian Intelligence Services.
The war in Ukraine and the Wagner Group rebellion in 2023 have damaged the authority of the Russian state and have likely caused Putin to see its proxy forces with greater suspicion. With cyber groups showing an acute ability to damage the governments, economies and CNI of other countries, it is likely that the Russian regime is also motivated by a desire to assert authority over these groups and prevent them targeting the Russian state.
Russia is likely to continue to visibly crack down on cyber criminals that are of interest to the US over the next 6 months to curry favour with the Trump administration during initial peace discussions.
The long term actions of Russia hinge upon these discussions. A successful peace deal is likely to see Russia continue to visibly counter those that are sanctioned by the US. A failed peace process will likely see Russia abandon its policy of arresting cyber criminals.
Whichever outcome follows, it is highly unlikely that Russia will fully abandon its position on cyber crime due to the potential such groups have to operate in support of the Russian state.
Introduction
Throughout November and December 2024, OS reporting indicates that the Russian state has arrested a number of cyber criminals. This marks a notable change from its usual blind eye position of allowing cyber criminals to operate in its borders. This begs the question: why has Russia deviated from its norm and arrested these criminals? This paper will seek to answer that question and assess what may happen next.
To achieve this, Russia’s historic relationship and policy decisions with cyber criminals will be explored. Once this is understood, the recent arrests will be examined and an analysis on the factors likely contributing to Russia’s recent decisions will be made. Lastly will be an assessment on future actions by Russia.
Overview of Russia’s Relationship with Cyber Criminals
Historically, the Russian government and legal system has largely ignored cyber crime within their border. The exception to this is when the crime is directed at its own institutions. As the rest of the world seeks to combat cyber criminals operating within their borders, Russia has been one of the few exceptions to this rule. Instead, it has become a hub for cyber criminals to operate with relative impunity.
The rationale for Russia’s inaction (until recently) on cyber crime is multifaceted and linked to both economic and geopolitical factors. Firstly, Russia’s relationship with cyber criminals is exemplary of the pragmatism of Putin’s regime. With decent education standards and state sponsoring of education in IT, Russia has produced a highly technically literate youth. However, with limited employment opportunities, many young people have turned to cyber crime as a means to generate income. While willing to arrest those who act against Russia’s interest, the state overall has been willing to turn a blind eye to these activities if directed outside the country. This placates a portion of the Russian youth that may otherwise become economically inactive or relocate to other countries, thus robbing Russia of highly sought after technical skills. More importantly, it mitigates the threat that this youth may turn against the Russian regime. Russia’s history is steeped in stories of its populace rising up against its various regimes. As such, the Putin regime is likely to have a particular distrust of its people. Preventing a technically literate youth from turning its cyber capabilities at the regime has been a consistent domestic policy aim.
Geopolitically, Russia has traditionally adopted a machiavellian stance to committing cyber crime on other nations. Russia’s standing with the Western world and its allies has rapidly declined since the annexation of Crimea in 2014. The subsequent invasion of Ukraine in 2022 saw relations deteriorate to points not seen since the cold war. Faced with sanctions and increased isolation, Russia has sought for means to retaliate. Whilst the cyber forces controlled directly by the Russian state are exceptionally capable and an extant threat to Russia’s adversaries, their use would almost certainly be attributable. Cyber criminals therefore give Russia a deniable proxy with which to harm its adversaries. Part of Russia’s acceptance of cyber criminals within its borders has, understandably, hinged on a tacit agreement that the criminal enterprises must coincide with Russia’s foreign policy aims.
Russia’s aims often coincide with these groups: ransomware attacks on western banks, DDoS attacks on European CNI and misinformation campaigns supporting pro-Russian candidates in Eastern European elections etc. Whilst unofficial support from the Russian government to these groups was always suspected, the invasion of Ukraine proved these groups are willing to work in direct support of Russia. The ransomware group Conti for instance released a statement post-invasion giving full support to Russia and conducted cyber attacks on Ukrainian CNI. In addition, sanctions were levied against Evil Corp and TrickBot due to their links with Russian intelligence services. Both groups also conducted attacks on Ukrainian communications and CNI to support the invasion.
Russia’s Action Against Cyber Criminals in 2024
With these factors combined, it is understandable that Russia has traditionally allowed cyber criminals to operate in its borders. However in November 2024, the cybersecurity community was surprised to see headlines noting that Mikhail Pavlovich Mateev, known by his pseudonym Wazawaka, had been arrested by Russian authorities. Mateev was a prominent figure in multiple ransomware groups including LockBit and Hive and had been directly sanctioned by the US for his criminal activities. In addition, on 2 Dec 24 it was announced that Stanislav Moiseyev, a cyber criminal who founded the Hydra drug marketplace had been sentenced to life in prison. On 3 Oct 24, 96 cyber criminals linked to the Cryptex crypto exchange were arrested. What triggered Russia’s actions remains a matter of debate.
The bulk of OS media reports have assessed Russia’s actions are financially motivated. Russia’s arrests of those linked to Cryptex reportedly led to the seizure of $16 million USD with more likely to be seized during legal proceedings (Cryptex’s services are estimated to produce an estimated $1.2 billion USD). Undoubtedly such funds will be used by the State for its own purposes. However, this is unlikely to be anything but a secondary or tertiary motivating factor in a country with a GDP of $2 trillion USD.
A more likely factor for the Russian regime (and one which many defence based NGOs have highlighted) was the need to impose its authority on these groups in a visible manner. The regime’s position and its authority, once thought to be untouchable, has shown signs of weakening since the invasion of Ukraine. International isolation and a war of attrition has harmed the prestige of the Putin regime both domestically and abroad. The most significant blow to the regime’s authority was the Wagner Group’s rebellion in June 2023. Armed confrontation between Russian forces and its own proxies inside Russia itself eroded the notion that Putin’s authority was absolute and that the state wielded a monopoly on force. In the aftermath of the rebellion, several potential political and military threats have been arrested by the Russian state (and likely assassinated in the case of Wagner’s leader Yevgheny Prighozin and major political rival Alexander Navalny).
Therefore, it stands to reason that a rapidly growing network of cyber criminals in Russia, groups which have severely damaged governments and CNI across the globe, is likely to now be seen with a greater degree of suspicion by the Russian state. With Wagner showing that disgruntled proxy groups can challenge the regime, what’s to stop criminal groups turning their own capabilities upon the state? A public show of force on particular elements within these groups is likely to mitigate the threat they pose through the implied threat of prosecution should their actions be disapproved of by the regime.
Whilst the assertion of authority is undoubtedly a critical factor in these arrests, it is likely that international relations and diplomacy are the primary motivating factor for the Russian regime. President Elect Donald Trump made consistent comments throughout his election campaign that he wished to have a peace deal in Ukraine. Following his victory in the US election, both Putin and Ukraine’s President, Vlodomyr Zelensky, have both made comments suggesting a diplomatic end to the war is on the horizon.
As previously noted, Russia became politically isolated from the US and its allies in 2022. For negotiations to take place, it is highly likely the US administration would need to see some indications of Russia being willing to abide by international law. It is notable that Russia’s arrests have focused on groups and individuals directly sanctioned by the US. In addition, these arrests started taking place in the direct run up to the election and afterwards, thereby highlighting to both Republican and Democrat sides a willingness to cooperate. Therefore, these individuals offer leverage in potential prisoner swaps or direct transfers to US authorities to curry favour. In addition, tackling cyber criminals offers Russia a chance to show its willingness to cooperate with the US without having to make major concessions on its military activities at this early stage in potential negotiations. Such an action has the added benefit of also achieving a separate aim of asserting authority over these criminal syndicates.
What Will Russia Do Next?
Russia’s actions in the next 6 months are likely to show more of the same: a selective crackdown on cyber criminals who 1. are sanctioned or of interest to the US and 2. whose arrest would remove a potential threat to the Russian state. This timeframe gives Donald Trump time to take office and for initial plans and discussions for peace to be set in motion. The medium to long term activity of Russia is however dependent on two potential outcomes of these talks:
1. A successful peace deal in Ukraine and gradual reduction in tension between Russia and the West.
Under these circumstances, cooperation on the issue of cybercrime is likely to be an area that the US will push heavily for. US CNI has been repeatedly attacked by multiple actors. The threat from Chinese state-sponsored cyber attacks is a growing concern for the US. To be able to successfully contain a Russian cyber threat would enable the US to turn its full attention to the Chinese. As such, Russia is likely to again choose those it targets selectively. Those groups who become too prominent and are sanctioned by the US are likely to be tackled. However, it is highly unlikely that Russia will completely dismantle the ecosystem it developed to allow cyber crime to prosper. This is almost certain to pose considerable domestic problems. In addition, a peace deal is unlikely to completely remove the friction between the US and Russia’s geopolitical aims in the long run. Therefore, maintaining an environment that would allow Russia to generate cyber proxies for a potential future conflict would be in their interest. As such, it is likely Russia’s pragmatic approach to cyber crime will continue with an aim to allow the practice to continue with greater management to placate the US.
2. A failed peace process and relations with the US stagnating or worsening.
In this instance, Russia’s prosecution of cyber criminals is unlikely to be a consistent effort, with the exception of taking down groups and individuals the regime deem to be a threat. Russia is likely to continue to foster an environment that enables cyber criminals and their capabilities to grow. As such, an increase in attacks on the west is likely with tacit support from Russia as a means to damage the west’s economic ability and political will to support the Ukrainians. It is likely that the threat Russian based cyber criminals pose to the US and its allies will increase.
Conclusion
When seen in isolation, Russia’s actions against cyber criminals are surprising. Its consistent and deliberate fostering of an environment to allow cyber criminals to prosper has been a feature of Russian politics since Putin took power. To see signs of this changing without a stated rationale by the regime is confusing. However, when Russia’s political position domestically and globally are considered, then arguably these actions represent a continuation of the norm for Russia: the protection of Putin’s power at all costs. “Real politik” has been a more consistent feature of Russian politics long before the fostering of cyber crime.
Whichever outcome follows potential peace talks, Russia’s relationship with cyber crime is unlikely to change foundationally, but its visible actions may change to obfuscate its true intentions. Russia’s suspicion of the West is deep set and its fear of conflict sees it invest heavily in its defences. Russia spends nearly 7% of its total GDP on defence, versus the US’ 3.4% and China’s 1.7%. As the attack surface in cyber across the globe rises, it is highly unlikely that a state obsessed with its own defences will seek to remove those that could prove useful in a conflict. Instead, Russia has visibly removed some threat actors to suit its needs but the vast swathe of cyber criminals remain. These actions are perhaps best exemplified as Russia pulling up some weeds from a garden to placate its neighbours. While this action may please the neighbours, the roots remain and more weeds are almost certain to grow in their place.
Annex A: References.
Overview of Russia’s Relationship with Cyber Criminals
-
https://intel471.com/blog/why-russia-is-a-hotbed-of-cybercrime
-
https://www.infosecurity-magazine.com/news/lockbit-affiliates-exploit-citrix/
-
https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file
-
https://thehill.com/opinion/international/4669671-russia-is-expanding-its-cyberwar-against-the-west/
Russia’s Action Against Cyber Criminals in 2024
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
FeedbackWe welcome your feedback, this ensures we meet your needs. Please contact our CTI Director at: cti@elemendar.ai