Russia Pivots, Cracks Down on Resident Hackers - Dark Reading

THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERSECURITY ANALYTICS CYBER RISK NEWS Russia Pivots, Cracks Down on Resident Hackers Thanks to improving cybersecurity and law enforcement action from the West, Russia's government is reevaluating which cybercriminals it wants to give safe haven from the law. Nate Nelson,Contributing Writer October 22, 2025 6 Min Read SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO For the first time in history, the Russian government has been partially cracking down on its cybercriminal underground. Cybercriminals operate everywhere, but Russia has always been the world's epicenter, primarily thanks to the carte blanche they're afforded by the state. At best, Russia's oligarchy has turned a blind eye to cybercrime within its borders. In many cases, state institutions and powerful officials have actively collaborated with, recruited, and otherwise aided Internet criminals. In a new report, and an exclusive interview with Dark Reading at its Predict conference in Manhattan in early October, Recorded Future hypothesizes that this symbiosis is starting to show cracks. Thanks to some major developments in the West — namely, increased law enforcement against Russian cybercriminals, and improving cybersecurity across sectors — Russia's law enforcement has been revoking the safe harbor it provides some low-level cybercriminals. Related:FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats "The key finding here is that Russia is acquiescing a little bit to the West," says Recorded Future threat intelligence analyst Alex Leslie. "You [once] had that unwritten rule of: if I'm a cyber criminal, as long as I don't target Russian organizations and individuals, I won't be prosecuted. That has actually changed." Russia's motives for doing this are complex and in some ways cloudy. Regardless, whichever direction it continues will carry staggering implications for global cybersecurity. The Dark Covenant Between Russia and its Cybercriminals Russia's cybercriminal underground has always been valuable to the Russian state. It's a suck on nations adversarial to Russia. It's a meaningful and endless source of income for young men without promising job prospects, who might otherwise perform domestic crimes. It's a zero-cost talent pipeline for state institutions that run offensive cyber operations. The state can even outsource its operations to high-level criminal groups, affording it a degree of plausible deniability. For these reasons and more, the Russian powers have always maintained a social contract with lowly hackers: As long as the hackers don't attack targets within Russia, they can do whatever they'd like with impunity. The police won't arrest them, and international police won't even get a sniff. In some cases the state doesn't just ignore hackers, it works with them. Leaked chats indicate that Conti members have enjoyed private flights with Vladimir Ivanovich Plotnikov, a member of the Russian Duma. One member is known to have supplied the Main Intelligence Directorate (GRU) with intelligence related to COVID-19. The group has also attacked known targets of the Russian state, whether by coincidence or coordination. Related:Russia's 'Fancy Bear' APT Continues Its Global Onslaught Leslie adds another example. "In the context of Ukraine, the GRU has various layers of institutionalized cybercrime involved. They inform its offensive operations, and have since 2022. Every layer of that institution relies on cybercrime in order to function properly." Breaking with the Covenant It's difficult to imagine this dark covenant ever wavering, but developments over the past year indicate that it just might be. Most notably, in October 2024, Russian authorities raided and arrested nearly 100 people involved with Cryptex and the Universal Automated Payment Service (UAPS), money laundering services for the underground. They seized vehicles, property, and $16 million in Russian rubles. In an April 2025 case, authorities arrested executives of Aeza Group, a bulletproof hosting provider affiliated with many threat actors and illicit marketplaces. They've also tagged hackers associated with the Mamont banking Trojan, and an anti-corruption official who ironically took bribes from the Infraud Organization cybercrime network. Even leading members of household ransomware groups like Conti, Lockbit, and REvil have been arrested, though in those cases the flaccid penalties threat actors faced have indicated a lack of seriousness. Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers This break with precedent is causing serious ripples in the underground. "We see on XSS on Dark Web forums, actors are starting to get scared. Actors are saying: 'I don't know if I feel comfortable being on a site like this and speaking Russian anymore.' 'I don't know if I feel comfortable associating with other actors like the initial access brokers (IABs), and the data leak brokers, and the infrastructure-as-a-service (IaaS) providers anymore, that I've been accustomed to working with." So why has this been happening? Operation Endgame: a Game Changer In May 2024, American and European authorities kicked off Operation Endgame, an unprecedented, large-scale effort to crack down on the people and infrastructure supporting worldwide ransomware operations. Russia's crackdown on cybercriminals began a couple of months thereafter. This may not have been a coincidence. Recorded Future argues that Operation Endgame raised the diplomatic cost of Russia's safe harbor policy, and, in a softer sense, extended Western authority while relatively diminishing Russia's. Taking action of its own, by this logic, might have served at least two functions for the Kremlin. Outwardly, if only ostensibly, it demonstrated some desire to curtail cybercrime. Inwardly, it reminded the criminals who's boss — "that we have authority over you, that we have power over you, that you will bend to our will. Specifically in terms of offensive operations abroad: you will fold under Russian intelligence services," Leslie says. Rather than burn its most useful assets in the underground, however, the Kremlin has pursued a dual-track approach. In essence: sacrificing some pawns to save its queens. Individuals involved in operations irrelevant to state intelligence — for example, money laundering — have faced apparently serious financial and legal penalties. Those of use to the government — leading botnet and ransomware developers from Conti, Trickbot, etc. — have always ultimately been spared by ersatz courtroom trials ending with no real consequences. The researchers concluded that "these actions appear designed less to dismantle cybercrime writ large than to manage reputational pressure from the West, protect politically connected threat actors, and signal that Russia, not external powers, controls the boundaries of enforcement." Russia Targets Russians for Targeting Russians "What we've noticed, at least since 2022, is an increase in attacks by Russia-based groups on Russian organizations. Ransomware attacks. Spreading malware. Hacktivist groups within Russia targeting Russian organizations," Leslie says. In this light, it was the cybercriminals who broke the covenant, and the government that responded. "In order for Russia to allow the free market to function, the free market has to have guardrails. And those guardrails, at least within the last two to three years by our measurements, have deteriorated." With low confidence, he says, "we speculate that cyber criminal groups are no longer as successful in attacks against Western organizations due to widespread threat intelligence sharing, widespread proliferation of more advanced cybersecurity practices, and cybersecurity regulation." Between improved law enforcement action and uneven but improving organizational cybersecurity across the Western world, Russian threat actors are reconsidering the much easier targets in their backyards. Leslie warns that "Russian cybercrime is still flourishing. The Dark Web is still flourishing. That's not going to change anytime soon. So I would not recommend any shift in defensive posture whatsoever. What I would recommend is watching very closely how disruptive action scatters the threat landscape, and how you need to adapt and diversify your hunting efforts in order to accommodate." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE