Cybercrime and Dark Web Research / Opportunity in the midst of chaos: Russian-speaking cybercriminals grapple with sanctions and forum takedowns

Opportunity in the midst of chaos: Russian-speaking cybercriminals grapple with sanctions and forum takedowns

Opportunity in the midst of chaos: Russian-speaking cybercriminals grapple with sanctions and forum takedowns
Photon Research Team
Read More From Photon Research Team
April 27, 2022 | 8 Min Read

As a threat intelligence professional, it’s difficult to ignore how major developments in the real world affect the lives of cybercriminals. In 2020, threat actors saw instant success when executing COVID-19-themed social engineering campaigns after the onset of the pandemic. In 2021, we saw an unprecedented shift in the cybercriminal landscape after the Colonial Pipeline attack and the swift backlash against ransomware operators that followed. In the first quarter of 2022 alone, the Russia-Ukraine war has affected cybercriminals’ livelihoods, forcing many difficult financial choices and even displacing some from their homes. On top of this, a series of recent law enforcement takedowns has resulted in the closure of two dark web juggernauts – the Russian-language drugs-focused marketplace HYDRA and the popular English-language cybercriminal forum RaidForums. 

With so many significant developments shaking the foundations of the cybercriminal underground, especially for Russian-language cybercriminals, it feels like the next chapter in Russian-language cybercrime is inextricably tied to today’s headlines. This blog explores how current events are shaping the Russian-language cybercriminal scene and how some Russian-speaking cybercriminals are responding to a changing threat landscape.

Sanctions present financial obstacles and opportunities

Russia is no stranger to economic hardships in modern times. The nineties were filled with turmoil for Russia as it attempted to adjust to the post-Soviet era and a market-based economy. In 1998, the country suffered an infamous economic crash that presented an unusual opportunity for a new generation of Russians – cybercrime. Could the punitive sanctions following Russia’s invasion of Ukraine lead to history repeating itself and inspire a new generation of cybercrime? While we can’t say for certain, what we do know is that the economic disruption in Russia has already spilled over into Russia-based threat actors’ lives, as we have witnessed on several Russian-language cybercriminal forums.   

On one platform, in a thread discussing sanctions against Russia, one user remarked that “many of us save our money not only in cash, but also in crypto, stocks and other valuable currencies.” They noted that “many stocks have fallen by more than 35% (mostly Russian),” and asked whether they should pull their money from their investments. 

Russian-language forum user seeks financial advice amidst sanctions against Russia

In the same thread, another user commented that the “situation with America” is “tense,” adding: “I thought of converting my small savings in dollars into rubles and throwing them into the bank for interest, but inflation is a bit**, and the dollar has not grown much over the past 3 years.” This is only a fraction of the overwhelming sentiment among Russian-language cybercriminals that the war is impacting Russia’s economy.  

Conversely, some Russian-speaking cybercriminals are eager to capitalize on new business or investing opportunities, rather than bemoaning the economic situation. On another Russian-language cybercriminal forum, one user doubled down on long-term investments in Russia, forecasting that Russia would eventually bounce back from sanctions and the Russian government would buy back shares of Russian companies’ stock to buoy the economic recovery. The same user later indicated their interest in purchasing alternative investments in cryptocurrency (not surprisingly) and betting on commodities, such as oil and metal. 

 Russian-language forum user discusses long term-investment potential in Russia

HYDRA’s takedown affects Russia’s drug-related cybercrime

On 05 Apr 2022, news broke of a joint operation by German and US law enforcement authorities that resulted in the closure of HYDRA, formerly the world’s largest dark web marketplace with around 2.5 million users. HYDRA mainly focused on the drugs trade but also hosted a sizable selection of digital goods, such as fake passports, SIM cards, counterfeit cash, VPN subscriptions, and cashing out services. Listings on the platform indicated that Russia-based criminals used the site as a digital highway to coordinate illegal drugs trafficking throughout the country, e.g., dedicated sections for drug drops in named Russian cities. The marketplace functioned as its own internal economy, featuring advertisements for jobs for “dropmen,” drivers, and “chemists”  involved in all facets of the drug trade. 

Since HYDRA was such a staple in the Russian drug community for so long, many of its former members will likely be looking for a new marketplace. This is not an entirely unfamiliar experience: Russian-language cybercriminals have dealt with their share of drug-focused marketplaces closing in the past. In fact, HYDRA was actually created circa 2015 to meet a demand for illicit substances while other Russian-language marketplaces were on their last legs.  

HYDRA consistently accounted for the largest share of dark web marketplace revenue (Source: Chainalysis)  

RaidForums’s closure leaves a sizeable gap in the market

On 25 Feb 2022, the prolific English-language cybercriminal forum RaidForums became inaccessible for unknown reasons, prompting speculation that law enforcement agencies had compromised the site. More than six weeks later, on 12 Apr 2022, the US Department of Justice announced the seizure of RaidForums’s main and mirror domains.

After a seven-year stint, and with more than 500,000 members on the site before its takedown, RaidForums’s departure has left a sizable gap in the cybercriminal forum arena. RaidForums was a haven for financially motivated cybercriminals, dedicated to enabling the trade and sharing of illicit information and content, including account credentials, databases, and network access credentials/instructions. 

Although RaidForums was a predominantly English-language forum, its users spanned the globe. Many of its members also had accounts on prominent Russian-language cybercriminal forums. These forums’ database sections attracted members who wanted to re-share or repurpose stolen or leaked databases gathered from RaidForums. It is realistically possible that these Russian-language forums may see an influx of former RaidForums members.

Shortly after RaidForums’s issues began in February 2022, one user of a Russian-language forum expressed concern that their forum would face the same fate as RaidForums. The user stated: “If RF was seized by authorities, they would come looking for other forums as well.” 

Russian-language cybercriminal forum user expresses concern for other forums following RaidForums’s disappearance

In a thread discussing RaidForums’s closure, the representative of the Lockbit 2.0 ransomware group sought other users’ opinions on creating their own “pirate bay” forum that would have no “prohibitions, censorship, and rules”. The representative asked users to “like”or “dislike” their post to show whether they were for or against the idea.

Lockbit 2.0 representative on Russian-language forum suggests an alternative platform in wake of RaidForums’s closure

Alternative platforms emerge

With so many threat actors displaced from cybercriminal platforms, a mass exodus to alternative sites is likely underway. After all, cybercriminals still have bills to pay… especially those in Russia facing a grim economic outlook.

With HYDRA out of the picture, cybersecurity researchers have observed vendors previously active on the drugs marketplace relocating their activities exclusively to Telegram. In addition, the established, Russian-language marketplace MEGA has a strong chance of emerging as the go-to marketplace for former HYDRA users because it also serves a diverse demand for illegal items. Its vendors sell illicit substances and digital goods, including databases, carding and counterfeit-related products, ready-to-use hacking software, and social media accounts. From 2021 to 2022, MEGA’s user base increased by approximately 1,700; it will likely continue to grow in HYDRA’s absence.

The number of active sellers on MEGA has grown from 900 to 2,600 from 2021 to 2022

On 16 Mar 2022, a prolific, well-respected user of Russian-language forums and a former RaidForums member introduced a potential successor to RaidForums called BreachForums. Although still very much in its early stages, BreachForums has the potential to become a proper replacement for RaidForums. At the time of writing, the site has more than 5,000 members and counting. Some of the newly registered usernames on BreachForums are identical to those used on Russian-language cybercriminal forums, which is a good general indicator that cybercriminals have likely migrated to the new platform. BreachForums has nowhere near the user base and popularity of RaidForums, but it has some advantages that could enable it to grow: providing incentives to former RaidForums users, appearing and functioning similarly to RaidForums, and having an administrator who is a well-known and reputable former RaidForums user.

A former member of RaidForums announced the launch of a new cybercriminal forum named BreachForums

Final thoughts

While MEGA, BreachForums, and Telegram appear to be early favorites for adoption by some Russian-language cybercriminals, existing and well-established Russian-language forums will likely see an influx of some of these displaced individuals. Despite major law enforcement successes, cybercrime will almost certainly remain prevalent on these alternative platforms. We may also see increasing numbers of Russia-based cybercriminals compelled to pursue more financially-motivated cybercrime in response to the sanctions’ effects on Russia’s economy. 

Digital Shadows tracks hundreds of marketplaces and cybercriminal forums, as well as over 75 ransomware data leak sites.  If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight here.