Russia’s war on Ukraine making life difficult for Russian cybercriminals

Flashpoint says international sanctions and a string of law enforcement actions are causing trouble for criminals to cash out.
(Photo by Matt Cardy/Getty Images)

Russia’s Feb. 24 invasion of Ukraine has put a serious crimp in cybercriminals’ ability to move and cash out their ill-gotten profits, forcing complicated workarounds and an unsure future, according to an analysis from threat intelligence firm Flashpoint.

The international sanctions targeting large chunks of Russia’s banking system — along with the Russian government’s efforts to counteract them, recent international law enforcement actions against cybercrime forums Hydra Marketplace and RaidForums and measures taken by the Russian government to more tightly control its internet infrastructure — “has challenged the status quo between Russian cybercriminals and the country that turns a blind eye to, or supports, their illicit activities,” Flashpoint researchers wrote in a blog post Thursday.

“It has also prompted threat actors to pursue workarounds to transfer funds between Russia and other countries, either through novel means or by re-calibrating existing cash-out methods — as well as scramble for safety,” the researchers wrote.

Flashpoint researchers monitor conversations and posts in various dark web cybercrime forums which feature not only stolen data and malicious software for sale, but discussions of how to move around and ultimately cash out the profits. Moving the money, typically in the form of cryptocurrency, can be complicated, and opens the door to seizure, both by governments and the cryptocurrency exchanges.


The discussions observed by Flashpoint suggested minor interest in protecting profits with so-called “stablecoins,” which are various forms of cryptocurrencies tied to assets, such as U.S. dollars or gold, or using stablecoins to get U.S. dollars out of Russia and circumvent controls put in place by the Central Bank of Russia limiting such activity.

Other cash-out methods observed in the wake of the invasion include routing conventional bank transfers from a limited number of Russian banks to banks in third countries that have not joined in sanctions against Russia, including Armenia, Vietnam or China, the researchers wrote.

The April 5 seizure of the Hydra Market by German authorities, which included servers and cryptocurrency wallets containing $25 million in bitcoin, “will cause a marked disruption of cryptocurrency-based cash-out operations,” the researchers concluded. Hydra was “emerging as a hub” for cash-out services in response to cryptocurrency exchanges’ increasing know-your-customer and anti-money laundering requirements, the researchers wrote.

“Even though these services can survive outside of Hydra, the uncertainty regarding law enforcement access to past transaction details will likely reduce the clientele of services that formerly operated on Hydra, in the short term,” the researchers wrote.

Russia’s war on Ukraine, and the Hydra takedown, exacerbated an already tough situation for cryptocurrency exchange markets accused of facilitating the laundering of criminal funds.


The U.S. Treasury Department sanctioned Hydra Market April 5, as well as a virtual currency exchange known as Garantex. The sanctions come about eight months after sanctions against another, Suex and five months after sanctions against Chatex, a separate exchange.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts