Most readers will be aware of the threat posed by Russian-speaking cybercriminals, be that big players in the ransomware game, the metaphorical mountain of initial accesses traded on Russian-language forums, or the sophistication of Russian APTs. But Ukrainians are heavily involved too. Many a cyber police raid has taken place on Ukrainian soil in recent years. From creating extremely dangerous malware to bulletproof hosting, Ukrainian cybercriminals have proven themselves to be highly capable adversaries. In this blog, we’ll take a look at the use of Ukrainian on the dark web and why Ukrainian-language cybercriminal platforms differ from their Russian-language counterparts.
Searching for a ghost: The hunt for Ukrainian-language platforms
Our search for Ukrainian-language cybercriminal platforms did not uncover any prominent or active sites. Law enforcement took down the last such example, xDedic, in 2019. xDedic was a fairly successful marketplace selling hacked remote desktop protocols (RDPs) and dedicated servers that could be used to carry out further attacks. hackerst0wn and HackUA were other Ukrainian-language “hacking forums” that went down in 2016 and 2012, respectively. There are still some Ukrainian-language forums online, but these either appear to have been abandoned or never got off the ground in the first place. One forum we found last saw activity in 2010 and currently only has five registered users and two posts across the whole site. The lights are on, but nobody’s home. News reports indicate that many now-defunct Ukrainian platforms catered to more traditional offline crime like credit card theft and money laundering and were linked to crime syndicates in Odessa and Kyiv.
As it turns out, we aren’t the only ones wondering where all the Ukrainian-language platforms are. Ukrainians themselves have been searching for years. One user of a Ukrainian-language programming forum lamented: “I had a look for Ukrainian-language [hacking] forums, I didn’t find a single one” (see Figure 2). But we know the demand is there – we observed another threat actor commenting: “If there were a Ukrainian-language hacker forum, I would hang out there.”
While we didn’t discover a whole swathe of Ukrainian-language cybercriminal platforms during our research, Ukraine remains a hotbed for so-called bulletproof hosting, despite numerous law enforcement campaigns against this industry. These hosting firms afford their customers considerable leniency in the kinds of material they may upload and distribute without getting taken down due to complaints and abuse reports. Many sites advertising bulletproof hosting feature the ability to toggle the site language to Ukrainian, and others use “Ukraine-based” as shorthand for quality and security.
Comparisons with Russian-language platforms
In the absence of currently active, high-profile Ukrainian-language cybercriminal platforms, we turned to “gray hat” Ukrainian-language programming sites to obtain some insight into what the now-defunct Ukrainian-language cybercriminal sites might have been like. These forums are characterized by a sense of community and widespread Ukrainian patriotism. Users frequently discuss Russo-Ukrainian issues, such as the use of Ukrainian at work, Stalin’s policies toward Ukraine, the disputed status of Crimea, and the ongoing war in Donbass–not necessarily topics you’d expect to see on a programming forum.
Users on these sites are really not receptive to the use of Russian. This is perhaps not surprising, given the treatment of those daring to use Ukrainian on Russian-language cybercriminal forums. Ukrainians who use their native language, which is similar to but not mutually intelligible with Russian, are almost universally met with hostility and ridicule. The status of Ukraine as a sovereign nation is commonly disputed in Russia, where a sizable portion of the population holds negative views of their neighbor. Racial epithets, which mock the way Ukrainians speak and the food they eat, are frequently thrown around. Instructing “Kholkhols” (Russian slur for Ukrainians) to go and eat “salo” (cured fat, popular in Ukraine) is a typical response to a Ukrainian attempting cybercriminal discourse in their mother tongue. And these are some of the tamer insults. One Russian-speaking user wrote that they would “cry tears of joy” if Ukrainians were banned from the Internet.
Ukrainian-speaking forum users are well aware of how their former Soviet compatriots perceive them. One remarked, “I know what kind of response [my post] will get… so go get the popcorn” – predicting the flow of insults they would receive following their Ukrainian-language post. However, Ukrainian cybercriminals are also acutely aware of their significant presence on Russian-language platforms, with one responding to anti-Ukrainian insults: “without Ukrainians this forum would be quiet”.
We’ve also noticed that some Ukrainian speakers themselves look down upon their own language. In a thread on one Russian-language forum in which users discussed why Ukrainian-language hacking forums do not last, one user argued that the Ukrainian language was “not up to the task,” stating that “all ‘projects’ end where the Ukrainian language begins.” Another self-professed Ukrainian speaker said that “technical literature in Ukrainian is always either funny or incomprehensible”.
A gap in the market? Maybe not.
Cybercrime shows no signs of slowing down in Ukraine, and Ukrainian cybercriminals have expressed a desire for platforms using their own language. Moreover, we know there’s a sizable number of Ukrainians on existing Russian-language cybercriminal forums. So why have they not created their own? Well, while we can’t say for sure, we do have a few theories.
First, Ukrainian-speaking cybercriminals are highly likely to speak Russian too. As a result of Soviet policies, by the late 20th century, almost all Ukrainians were fluent in Russian. But this fluency is asymmetrical: While most Ukrainians know Russian, most Russians can’t speak Ukrainian. Ukrainians’ fluency in Russian probably meant that when Ukrainian-language sites were taken down, Ukrainian cybercriminals likely migrated to existing Russian-language platforms.
If the linguistic reasons weren’t enough, the changing political situation in Ukraine might also make Russian-speaking cybercriminals wary of using Ukrainian-language platforms, even if they did speak Ukrainian. Cooperation between Ukrainian and Western law enforcement, which has increased as the current Ukrainian administration seeks closer ties with Europe, has led to multiple takedowns of Ukrainian-language sites. This has caused many Russian-speaking cybercriminals to perceive their Ukrainian counterparts as untrustworthy. One thread discussing a joint operation between the FBI and Ukrainian cyber police on a prominent Russian-language forum saw users labeling Ukrainians as “rats.” Others advised not hosting illicit infrastructure in the country due to the threat posed by Ukrainian law enforcement.
So Ukrainian cybercriminals do not need Ukrainian-language platforms to facilitate their malicious activity, and many users of Russian-language forums couldn’t use Ukrainian ones, even if they wanted to (which they don’t). In a world principally motivated by making fat stacks of cash, if it doesn’t make money, it doesn’t make sense. Why should site administrators limit themselves to potential customers from only Ukraine when they could also collect revenue from both Ukraine- AND Russia-based users?
The cybercriminal forum and marketplace scene is fluid and fractured. Given the role played by Ukrainian nationals in international cybercrime and an ever-changing political relationship between Ukraine and its closest neighbor, it’s possible that a successful Ukrainian-language platform may emerge in the coming years. If it does, Digital Shadows will be there to keep you in the know. With in-depth linguistic and cultural knowledge of Russian and Ukrainian, we give our clients unique insights into the cyber threats emanating from these geographies.
If you’d like to learn more about monitoring the Russian- and Ukrainian-language dark web for potential leaked databases, compromised accounts, exploits, target attacks and more, get a free copy of our Dark Web Monitoring Solutions Guide here. Alternatively, you can access a constantly updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free seven-day test drive of SearchLight here.