Report Details Russia’s Evolving Cybercrime Ties, Active Management of Domestic Hackers
Published
- Shift in state relationship: The Russian government has reportedly moved to active management of domestic cybercriminals, employing selective enforcement to reinforce state authority.
- Fracturing underground: International law enforcement pressure and selective domestic crackdowns are eroding trust within the Russian cybercriminal underground.
- Geopolitical instruments: High-value hackers are increasingly leveraged as geopolitical assets, with detentions and releases tied to broader diplomatic negotiations.
New research indicates a strategic shift in the Russian government's relationship with these groups, moving from passive tolerance to a more actively managed model of "controlled impunity." This evolution is largely attributed to unprecedented international law enforcement campaigns, like Operation Endgame, which have disrupted major ransomware operations.
State-Backed Cybercrime and Shifting Dynamics
A new report from Recorded Future, titled Dark Covenant 3.0, details a profound transformation within Russia's cybercriminal ecosystem and highlights that Russian authorities are using selective, high-profile arrests to manage domestic cybercrime while often protecting high-value actors.
The research suggests that the perception of Russia as a blanket "safe haven" for cybercriminals is becoming more nuanced. While some monetization services like Cryptex have faced domestic crackdowns following Western pressure, top-tier ransomware groups with suspected ties to Russian intelligence services continue to operate with relative insulation.
Leaked chats and intelligence analysis reportedly expose direct coordination and tasking between some criminal leaders and state intermediaries. For instance, according to a separate researcher, “Conti likely had protection from Vladimir Ivanovich Plotnikov, a member of the Russian Duma from Perm,” as per the report.
Conti ransomware continues to operate with relative insulation due to connections with Russian intelligence services. Despite high-profile international enforcement actions, Conti members have largely avoided significant penalties, benefiting from selective domestic enforcement and even alleged direct coordination with state intermediaries.
This protection underscores Conti's value as a geopolitical asset, allowing the group to persist and adapt amid intensifying global pressure.
This dynamic of selective enforcement is fracturing the Russian cybercriminal underground, fostering paranoia and accelerating operational changes like stricter vetting for ransomware-as-a-service (RaaS) programs and a move toward decentralized platforms.
A notable example is the July 2025 dispute between the threat actor “hastalamuerte” and “Haise”, an operator and representative of the Qilin Ransomware group, following a hacker forum post that accused Haise of failing to pay their portion of the ransom.
Insikt Group observed multiple instances of ransomware group impersonators emerging with pure scam intentions, such as RebornVC, Babuk 2.0, Bjorka Spirit Ransomware, GD LockerSec, FunkSec, Dispossessor, and Rabbit Hole.
Global Implications and Cybersecurity Outlook
Russia appears to be strategically leveraging cybercriminals as instruments of statecraft, balancing the strategic intelligence value they provide against external diplomatic pressure, the report said.
For global cybersecurity, this would mean that while some parts of the ransomware supply chain may be disrupted, core threat actor groups allegedly protected by the state will remain resilient.
The report assesses that this managed ecosystem will continue to adapt, not contract, with Russia's authorities determining which groups are assets to be protected and which are liabilities to be sacrificed.
Recently, the U.K.'s domestic intelligence service, MI5, warned members of parliament that they are targeted by spies from China, Russia, and Iran.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular