Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

Pandemonium in the Dark Web

intro image

Written by Tomer Sherbakov

Executive Summary

  • After years of being a shelter for Eastern European cybercriminals, it appears that Russia is no longer that. Starting in early 2022, the laissez-faire attitude of Russian law enforcement towards cyber criminals operating in Russia is seemingly crumbling.
  • Historically, as long as cyber criminals were not targeting Russian institutions and citizens, the Russian authorities did not interfere. However, during the first few weeks of 2022, we have witnessed unprecedented, surprising actions by Russian law enforcement, in particular department “K” of the MVD1, against cybercriminals such as those operating underground carding shops2 and proxy / socks services, and even the infamous ransomware group REvil.
  • As a result of these actions, panic and fear is spreading amongst cybercriminals operating on Russian soil. Many of them are choosing to “lay low” or disengage from underground communities and networks for fear of law enforcement scrutiny. For example, the operators of at least three leading online carding shops - Briansclub, Centralshop and Ferum Shop – shut down their sites.
  • The crackdown is not over yet, as every week more and more prominent cybercriminals announce their “retirement” or “hiatus”. Thus, we are left with one unanswered question: How far will Russian law enforcement go?

A Gesture of Good Will

In the summer of 2021, President Biden told President Putin that Russia must crack down on cybercriminals3, following a number of high-profile ransomware attacks attributed to Russian cybercriminals such as the Colonial Pipeline attack4. Since then, with the potential of a Russian invasion of Ukraine, the political tension between the US and Russia has risen. Yet, it appears that there is a change in Russian policy regarding cybercriminals operating on Russian soil, possibly as a gesture of goodwill by Russia. The first action under the new policy was the arrest of several members of the REvil group in mid-January5, followed by an arrest of another cybercriminal group accused of perpetrating financial fraud6 at large scale.

In addition, the Russian authorities launched a campaign to shut down several popular underground shops and services, specifically VPN services and carding shops such as Luxsocks, and UNICC, among others. Many of these shops’ home pages were replaced with a warning message from MVD’s “K” department, such as this:

This source is blocked.
UNICC service is closed forever after a special operation by law enforcement agencies. Department “K” of the MVD warns: theft of funds from bank’s credit cards is illegal!
UNICC's home page
Popular carding shop UNICC's home page with a message from MVD’s “K” department.
TDStore’s home page
Popular carding shop TDStore’s home page with a message from MVD’s “K” department.

Panic Ensues

The efficiency with which the arrests were made suggests that Russian authorities know much more about the cybercriminals operating in country than previously acknowledged. The scope and speed of the law enforcement actions triggered panic and confusion amongst cybercriminals. In popular Russian online underground communities, there was a surge of posts reflecting fear, confusion, and theories for the change in law enforcement policy.

Very reputable threat actor replies to another post asking why Russian LE don't pursue scam call centers that target Russia. The reply is: "Call centers do not harm the US. For those who don't understand, starting from the New Year life has really changed".
"It becomes scary. First luxsocks and Revil, now these shops. Looks like it either becomes more dangerous, or LE simply recruit hackers before the possible invasion to Ukraine."

Some cybercriminals questioned how law enforcement succeeded in tracing cybercriminals as they use various anonymizers to obfuscate their digital activities; a fact that raised the fear level amongst cybercriminals.

"It's interesting how the police figure out entire groups that 100% use different anonymizers. Is everything really simple and tied to bitcoin and cashing out?"

As a result, many cybercriminals feel that Russia can no longer be a safe haven and some are considering moving to safer countries (in their opinions) such as India, China, Israel and other countries in the middle east 7

Time for Sabbatical or Retirement?

Many Russia-based cybercriminals now feel unsafe, calling on other fellow cybercriminals to be careful and lower their profile in order to avoid arrest. One reputable member of a leading Russian underground forum posted the following:

If I were the owners of carding shops, I would leave my lairs for a while, without a phone and the Internet, to some wild nature to live in the taiga or the Altai Territory and would do it as discreetly and anonymously as possible, without traces … Since the end of the year, there have been several such eminent people who suddenly decided to quit, among them are carding shops and other socks services, etc. or maybe it was not they who wrote it, but someone instead of them ... or they were given to understand that "bring it to us" and close your service……everything can be, everything can be…
Message conveying fear by a reputable member of a Russian underground forum.
"The hard days have come. Stay safe and always remember about OpSec".

In particular, several leading Russian carding shops went offline, announcing in various underground forums that they are ceasing operations. For example, the owner of Wix, a popular carding shop, posted on an underground forum that he and his associate are closing the shop permanently and leaving the forum due to the shutdown of other leading carding shops by Russian law enforcement.8

Announcement by the owner of Wix regarding the shutdown of the shop

Centralshop, another popular carding shop, announced that someone hacked its bitcoin wallets and as a result, the shop is shutting down. This aggressive and unconventional move was likely carried out by Russian law enforcement, perhaps as a warning to other cybercriminals.

Last message posted by the owner of Ferum Shop, a popular carding shop

Another warning was left in the homepage of a popular Russian-language underground forum XSS9. The forum was shut down by the MVD, and its homepage contains an announcement to that effect. The source code of the homepage includes the text, "Who’s next?" indicating that the crackdown is not over yet.

A message apparently left by Russian law enforcement in the source code of XSS: "Who's next?"

Don't forget

to Visit

Our Solutions

1 MVD - Ministry of Internal Affairs of the Russian Federation, https://en.wikipedia.org/wiki/Ministry_of_Internal_Affairs_(Russia) .
2 Carding shops are online marketplaces that facilitate the buying and selling of stolen / hacked credit and debit cards. Many of the leading carding shops are operated by Russian or Eastern European cybercriminals.
3 https://apnews.com/article/joe-biden-europe-technology-government-and-politics-russia-594b22105c93a4cb2962fea6a4763da0
4 https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
5 https://www.bbc.com/news/technology-59998925
6 https://www.rbc.ru/society/07/02/2022/62012fed9a794712922408ee#
7 https://lenta.ru/articles/2022/02/05/revil/
8 As of current, the shop appears to be under new ownership.
9 Xss[.]is

About the Author

Tomer Sherbakov is a Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Tomer was a Cyber Threat Analyst in the Israel Defense Forces