While some of us might be taking it easy after the excesses of the Christmas period, January certainly hasn’t been a slow news month in the world of cybercrime. The FSB arresting alleged members of the ransomware group REvil (aka Sodinokibi) at the apparent behest of the FBI coincided with a massive cyberattack against organizations in Ukraine. We can only speculate on the exact reasons behind these arrests, but one thing we can say for sure is that these events have sent some Russian-language cybercriminal forum users’ blood pressures through the roof. Over the years, we have witnessed a constant level of chatter on the forums about the prospect of arrest and imprisonment, but the community has never appeared so worried about how their cybercriminal careers may end and how they might fare in jail. In this blog, we’ll take a look at how threat actors on Russian-language cybercriminal forums rate their prospects of being arrested and how they fancy their chances in prison.

Prison time for cybercrime

One of our past blogs examined how cybercriminal forum users view their chances of ending up in prison. In short, we observed a widely held belief that threat actors who do not target victims in the Commonwealth of Independent States (CIS) would be protected from prosecution because of the perceived percieived corruption of the Russian legal system and the state’s apparent lack of interest in convicting its citizens who target victims in other geographies. Almost all Russian-language hacking forums forbid their users from targeting victims in the CIS, and moderators and administrators strictly enforce this rule. Similarly, the Russian constitution’s prohibition on extraditing Russian citizens appears to have led many cybercriminal forum users to believe that they will be safe as long as they do not travel outside the country. The party line was: “Stay in Russia, don’t attack Russia or its allies, and life will be sweet.” In 2020, one forum user wrote, “If you’re working on the Russian Federation, then they’ll hunt you down, but if you’re working on the EU or the US, then nothing will happen, no one will care, until you visit the EU or the US.”

Figure 1. Forum user expresses belief that threat actors who don’t target Russia with be safe from prosecution by the Russian state

 

Since the REvil arrests, there appears to be a common consensus that these adages no longer ring true. As one forum user put it: “A precedent has been set.” Russian hackers are now grappling with the genuine prospect of arrest on their own soil, even if they only target foreign victims. Another user commented, “if you still continue to firmly believe that if you are in the Russian Federation, then nothing will happen to you, no matter what you do, this faith will destroy you.”

As a result, questions such as: “What will happen to my stuff if I get arrested for money laundering?” or “How many years will I get for ransomware?” are becoming increasingly common on cybercriminal forums, as users worry about the arrests’ implications for their own malicious activity. Much of the debate centers around whether it is better to be incarcerated for cybercrime in Russia or the US.

Figure 2. Forum user asks “How are we treated in prison?”

 

Prison in Russia: Better the Devil You Know?

Forum users generally point to three main but contradictory outcomes for cybercriminals who end up in Russian prison: an easy time, harsh treatment, or an increased sentence. 

1. “You’ll be fine”

Some users suggest that other prisoners will largely ignore convicted cybercriminals because they do not care about cybercrime. They claim that as long as cybercriminals don’t boast about their ill-gotten gains, no one will pay them much attention. One user advised convicted cybercriminals not to disclose their specific industry so that other prisoners would respect them simply for being a thief. Others have said that cybercriminals will be able to “serve and enjoy” their time in jail because prisoners and staff look upon cybercrime targeting Western organizations more favorably than violent crime against Russian nationals, for example. We’ve also seen suggestions that cybercrime carries a certain kind of kudos akin to that enjoyed by bank robbers. A forum member who claimed to have served time in multiple Russian prisons wrote, “I’ve been everywhere […] they’ll beat you for other things, but not for computers.” 

Figure 3. Forum moderator expresses belief that cybercriminals would not experience violence following arrest

 

2. “You will not be fine”

Other forum users, including those claiming to have served time in Russian prisons, allege that hackers are “weak nerds” who will not be tough enough for the harsh environment in Russian jails. One threat actor painted a particularly bleak picture: “if you’re so worried about this issue now, then make no mistake: if you end up [in prison], they will 100% kill you.” Another agreed, writing: “god forbid you even think about going there. It’s a world of its own.” One forum member claimed that the vory v zakone [Russian prison mafia] would force cybercriminals to work for them, even after the sentence had finished: “The Urki [career criminals] will advise the Bratva [Russian mafia] so that you work for them after your release, if you run your mouth too much.”

Figure 4. Forum user opines that cybercriminals would certainly be killed by hardened criminals in prison 

 

3. You will be fine, but you will never leave

A third opinion holds that prison staff will look after convicted cybercriminals and may even allow them to continue their activities in prison. In 2015, one user wrote: “if you let people know that you can make money rummaging through computers,” then “they’ll give you a laptop” and “set you up in a separate cell with all the benefits”, so you can “work”, implying that any profits from cybercrime would be given to prison staff. This user noted that such treatment would not come without a cost. The same corrupt officials would allegedly find a way to increase the prisoner’s sentence: “you won’t be able to earn much, but your term [sentence length] will grow by the year,” because “no one will release the hen that lays golden eggs”.

Figure 5. Forum user states that prison staff would exploit cybercriminals in prison

Prison in the US: Easier but longer

The REvil arrests have led cybercriminals to contemplate not only jail time in Russia, but also extradition to the US, although many remain pretty confident Russia will not extradite. The consensus on Russian-language cybercriminal forums holds that while Russian prison is harsher, terms are much longer in the US, where “they’ll give you centuries to think about what you’ve done”. In 2015, after a cybercriminal’s sentence was commuted in Russia, a forum user commented: “in the US you’d be put away for 15 years for such crypting”. This belief has held into 2022. Following the REvil arrests, one user noted that the arrested individuals have been charged under money laundering laws that carry a maximum sentence of seven years. Another user commented that seven years is “a very long time,” but less than “the terms REvil would face in the US.”

Many forum users have expressed the belief that although both countries largely follow the “prison for punishment” model rather than the “prison for rehabilitation” school of thought, conditions are much harsher in Russia. Comments like, “Serving time in American prisons isn’t too bad, but the terms are long” are common. “Svezhak”, a convicted Ukrainian cybercriminal who served time in the US for bank fraud, echoed this sentiment in their memoirs, writing fondly of their treatment in some US prisons and the surprising lack of violence compared with jails in the CIS.

Figure 6. Forum user states that sentences for cybercrime are much longer in the US than in the CIS

 

The benefits of speaking English

Some forum users have pointed out that a Russian cybercriminal’s time in a US prison would depend on their ability to speak English and assimilate to US prison culture, where inmates are often divided along racial and ethnic lines. One user wrote, “If I were given the choice to serve in a Russian/Ukrainian prison for 5-7 years or in an American prison [for the same time], I would probably still choose the American”. Another user replied, “without fluent English? […] you won’t even know the slang”, indicating that Russians who are not fluent in American culture will not fare well in US prison. It’s possible that Russians are projecting the importance of Russian prisoner dialect, which is much more than just slang, onto US prison culture, although Svezhak wrote in his memoir that he struggled in US prison until he learned English. 

Figure 7. Forum user claims that Russian nationals would struggle with a lack of language and sense of belonging in US prison

East or West, staying out of prison is best

Some forum users highlighted the futility of comparisons between Russian and US prisons, noting that arrested cybercriminals will not have a choice in the matter and cannot plan for either outcome. These users sought to move the conversation towards improving operational security (OpSec) to avoid going to jail in the first place. Many argued that REvil members became overly confident in their abilities and took excessive risks with their OpSec, using vulnerable tools and infrastructure or boasting about their activities to friends and family. As one user put it: “It is impossible to separate technical security from personal security”.

The recent arrests have certainly got users worried. Threat actors operating out of the CIS doubt they can still count on “immunity” due to who they target. Now more than ever, they must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.