The relationship between the Russian government and its vast cybercrime ecosystem has fundamentally changed, according to a recent report by cybersecurity firm Recorded Future. Previously, the state’s intelligence services were known to tolerate cybercriminals, who in turn would often provide information and conduct various activities on the state’s behalf, effectively allowing them to operate unhindered. This already-existing connection, especially with intelligence and law enforcement, was reinforced and shifted following the 2022 invasion of Ukraine, leading many threat actors to pledge allegiance to the Kremlin. This evolution moved the state’s role from passive tolerance to active management, turning cybercrime into a strategic tool for influence and information acquisition, in addition to its commercial value.
International law enforcement actions, such as Operation Endgame, which targeted various botnets, malware loaders, and money laundering services, have significantly pressured this state-cybercriminal interaction. In response to these external takedowns, Russian authorities have adopted a more aggressive and selective stance, conducting high-profile arrests and seizures. This selective enforcement has been described as a way to “govern the market,” with authorities recruiting or co-opting useful talent, selectively enforcing laws when actors become politically inconvenient, and ultimately leveraging the ecosystem as a geopolitical instrument. However, this has resulted in a fracturing of the cybercriminal underground, with actors turning to decentralized operations and increased paranoia to evade surveillance and domestic scrutiny.
This new pattern of selective targeting is best explained through a cost-benefit calculus. Recorded Future notes that high-value ransomware ecosystems with strategic utility to the state persist and are left largely untouched, while expendable cash-out infrastructure is targeted. This dichotomy was clearly demonstrated when Russian authorities quickly announced raids, arrests, and asset seizures against services like Cryptex and UAPS shortly after they were disrupted by Operation Endgame and sanctioned by the US. Conversely, individuals associated with major groups like Conti and TrickBot, which were also targeted by Operation Endgame and are on Europol’s most wanted list, have been shielded, with leaked chats suggesting their senior members maintain direct connections with Russian intelligence services.
The choice of targets and the lead agencies involved—targeting financial facilitators with low intelligence value through the Investigative Committee rather than core operators with ties to security services—aligns with a delicate equilibrium. The reciprocal arrangement between cybercriminals and security services is complex: criminals likely pay for protection and are available to support the state when called upon, with their continued insulation depending on their political cost, external pressure, and usefulness. If an actor becomes too politically significant or fails to provide adequate support, security services are willing to use their legitimate policing powers to target or harass them, ensuring compliance and control over the market, rather than its complete eradication.
Consequently, the underground has had to adapt to this new environment, leading to increased distrust and new operational security measures. Over the past year, ransomware-as-a-service (RaaS) affiliate programs have decreased their open advertisements, pivoting toward semi-closed recruitment that often favors Russian-speaking affiliates over English-speaking ones, a rational response to perceived infiltration and selective domestic enforcement. While the underlying criminal business remains attractive, the bar for trust has been raised, and the emergence of impersonators, data resale schemes, and paranoia among affiliates reflects the increased pressure and the constant need to adapt to both international law enforcement and the selective governance of the Russian state.
Reference:
