Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.
Written by Tomer Sherbakov
In the summer of 2021, President Biden told President Putin that Russia must crack down on cybercriminals3, following a number of high-profile ransomware attacks attributed to Russian cybercriminals such as the Colonial Pipeline attack4. Since then, with the potential of a Russian invasion of Ukraine, the political tension between the US and Russia has risen. Yet, it appears that there is a change in Russian policy regarding cybercriminals operating on Russian soil, possibly as a gesture of goodwill by Russia. The first action under the new policy was the arrest of several members of the REvil group in mid-January5, followed by an arrest of another cybercriminal group accused of perpetrating financial fraud6 at large scale.
In addition, the Russian authorities launched a campaign to shut down several popular underground shops and services, specifically VPN services and carding shops such as Luxsocks, and UNICC, among others. Many of these shops’ home pages were replaced with a warning message from MVD’s “K” department, such as this:
This source is blocked.
UNICC service is closed forever after a special operation by law enforcement agencies. Department “K” of the MVD warns: theft of funds from bank’s credit cards is illegal!
The efficiency with which the arrests were made suggests that Russian authorities know much more about the cybercriminals operating in country than previously acknowledged. The scope and speed of the law enforcement actions triggered panic and confusion amongst cybercriminals. In popular Russian online underground communities, there was a surge of posts reflecting fear, confusion, and theories for the change in law enforcement policy.
Some cybercriminals questioned how law enforcement succeeded in tracing cybercriminals as they use various anonymizers to obfuscate their digital activities; a fact that raised the fear level amongst cybercriminals.
As a result, many cybercriminals feel that Russia can no longer be a safe haven and some are considering moving to safer countries (in their opinions) such as India, China, Israel and other countries in the middle east 7
Many Russia-based cybercriminals now feel unsafe, calling on other fellow cybercriminals to be careful and lower their profile in order to avoid arrest. One reputable member of a leading Russian underground forum posted the following:
If I were the owners of carding shops, I would leave my lairs for a while, without a phone and the Internet, to some wild nature to live in the taiga or the Altai Territory and would do it as discreetly and anonymously as possible, without traces … Since the end of the year, there have been several such eminent people who suddenly decided to quit, among them are carding shops and other socks services, etc. or maybe it was not they who wrote it, but someone instead of them ... or they were given to understand that "bring it to us" and close your service……everything can be, everything can be…
In particular, several leading Russian carding shops went offline, announcing in various underground forums that they are ceasing operations. For example, the owner of Wix, a popular carding shop, posted on an underground forum that he and his associate are closing the shop permanently and leaving the forum due to the shutdown of other leading carding shops by Russian law enforcement.8
Centralshop, another popular carding shop, announced that someone hacked its bitcoin wallets and as a result, the shop is shutting down. This aggressive and unconventional move was likely carried out by Russian law enforcement, perhaps as a warning to other cybercriminals.
Another warning was left in the homepage of a popular Russian-language underground forum XSS9. The forum was shut down by the MVD, and its homepage contains an announcement to that effect. The source code of the homepage includes the text, "Who’s next?" indicating that the crackdown is not over yet.
About the AuthorTomer Sherbakov is a Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Tomer was a Cyber Threat Analyst in the Israel Defense Forces