Russian-speaking cyber criminals feel economic pinch

Russian-speaking cyber criminals face diminishing financial returns following Russia’s invasion of Ukraine, with many scams becoming redundant almost overnight due to sanctions and increased scrutiny of Russian entities, say Digital Shadows researchers.

Based on anecdotal feedback posted by Russian-speaking cyber criminals to an undisclosed forum, Digital Shadows’ Photon Research Team said the financial success of cyber criminals often comes in peaks and troughs.

This is because although threat actors are able to make a consistent profit through schemes that work for a time, the method in use will eventually become redundant, forcing them to spend time and resources to identify new approaches.

“Always in jumps, some scheme works, you are able to milk it, then the method dies and again you search for another, study it, it takes a very long time,” said one user, according to a screengrab shared with Computer Weekly.

Digital Shadows added that, following Putin’s invasion of Ukraine, which has prompted sanctions and additional scrutiny on all cyber activity originating from Russian entities, many cyber criminals are having to refine and adapt their techniques “to climb out of that trough” again.

“A good example of this is the use of GooglePay and other financial technologies becoming banned for use across Russia. This led to many scams becoming redundant almost overnight,” said Digital Shadows researchers in a blog post, published on 1 September 2022.

The researchers added that, according to another user on the forum, cyber criminals were able to earn as much as they liked before the conflict, but had subsequently lost their ability to successfully conduct “shadow” work.

“In principle, I earned as much as I needed until the special military operation began. I lost my shadow job, and there are only [RUB] 30,000 left in my QIWI wallet and $80 in bitcoin,” wrote the user.

The researchers further added that, for those still able to find shadow work, the prices they can charge have drastically diminished. One user, for example, suggested that prior to the conflict, a threat actor could typically earn $500 for providing initial access to a targeted network.

“Within the context of the conversation, it appears the user was suggesting prices had significantly dropped since that time,” wrote the researchers. “We’ve written numerous times about the rise of initial access brokers (IAB) and how this type of threat actor has greatly assisted cyber crime, however it’s possible that the market has become oversaturated with IABs, and prices lowered as a result.”

The lack of current earnings was reiterated by other users, who suggested that alternative methods had not worked, and they were “tired of living in poverty”.

However, the researchers noted that although the current economic and geopolitical situation has stifled the earning capacity of Russian threat actors, it is likely to be a short-term hindrance. “Many types of cyber crime, including ransomware and account takeover, have thrived in the last year, and that will almost certainly continue as we enter the final quarter of 2022,” they wrote.

They added that there had, however, been a reduction in carding activity – a form of credit card fraud where stolen credit cards are used to charge prepaid cards – although it is difficult to tell if the decline is the result of raids conducted by Russia’s Federal Security Service (FSB) earlier in 2022, or a general change in cyber criminal sentiment towards such schemes.

“We identified during recent deployments that the sentiment among some cyber criminals was that carding was a diminishing art form, which was becoming increasingly difficult to make regular returns from,” said the researchers.

“Some users expressed concerns of the difficulties in receiving up-to-date information over carding activities on forums, while another suggested that they deliberately did not post carding-related information to prevent competitors from gaining an advantage.”

Because carding is often done by those on the lower end of the cyber criminal spectrum without much technical expertise, the researchers said it may be harder for budding cyber criminals to establish themselves if they are unable to use the method as a way of building up a sustainable income.

Alternatively, the researchers posited that the increasing difficulty of carding meant cyber criminals had simply moved on to more profitable endeavours, such as ransomware.

In May 2022, Verizon’s Threat Research Advisory Centre (VTRAC) and 80 other independent industry contributors observed a 13% increase in ransomware breaches in 2021, a year-on-year jump greater than the past five years combined.

According to separate information published by the Photon Research Team in August 2022, a new cyber criminal forum has been established that solely and explicitly targets victims in Russia and Belarus.

Known as Dumps, the forum has a small membership of around 100 individuals, and contains sections offering cyber attacks as a service, data leaks, illicit materials, carding support, malware and access to compromised networks.

The Photon team said that while Russia’s invasion of Ukraine has been condemned around the world, the conflict has proven very divisive in the cyber criminal community.

“Opinions on Russian president Vladimir Putin’s so-called ‘special military operation’ depend on several factors, notably the cyber criminal’s background, political beliefs or other nationalistic drivers,” they wrote.

“As we’ve reported in previous blogs, some internet users have taken it on themselves to take an active role in the conflict, targeting Russian organisations with targeted data breaches, distributed denial of service [DDoS] attacks and defacement activity.”