How Russian Cybercriminals Are Adapting ML Methods on Ukrainian Conflict?

Blog / Russian Cybercrime: ML Tactics in Ukraine Conflict

More than 30 countries have imposed sanctions on Russia, freezing banking transactions and stopping shipments of critical items such as semiconductors and other types of equipment.

Sanctions imposed on Russia in the aftermath of the 2022 Russian invasion of Ukraine-coupled with capital controls imposed by the Russian Central Bank to counter them—have prompted Russian cybercriminals to devise innovative methods of breaking past the barriers and continuing to launder money.

The Hydra shutdown, coupled with Russian authorities' efforts to tighten control over cryptocurrency transfers and other steps taken by Russia to gain more control over its internet infrastructure, impacted how cybercriminals launder stolen funds.

It has also prompted threat actors to seek workarounds for transporting funds between Russia and other countries, either through new routes or by recalibrating existing cash-out mechanisms—all while scrambling for safety.

Lockdowns led to an increase in cybercrime, fraud, and money laundering, prompting governments to impose stricter penalties.

The Hydra Shutdown Took a Toll on Cybercriminals

On April 5th, 2022, Hydra Market, one of the dark web's oldest and largest markets, was taken down. US and German law enforcement authorities confiscated the servers that controlled the market and $25 million in cryptocurrencies in a combined operation.

Hydra, which was founded in Russia in 2015, had 17 million members at the time of its shutdown and had been the largest market on the dark web since the closing of RAMP, the Russian Anonymous Marketplace, in 2017. According to research by cybersecurity company Flashpoint, the market's concentration was on dealing in illegal drugs, data, falsified papers, and digital services, with yearly transaction volumes skyrocketing from $9.4m in BTC in 2016 to $1.37bn in 2020.

Users of many Russian-speaking illegal groups speculated on the implications of the news. A minority took a wait-and-see approach, noting that it was unknown whether Hydra administrators had also lost access to server backups, but the majority of threat actors believe that a huge number of smaller stores will replace the giant marketplace.

Analysts have spotted merchants that were formerly active on Hydra shifting their operations only to Telegram. Another option is to create decentralized, Telegram-based markets that bring together several merchants. Televend, a now-defunct service, did exactly that. However, because of the presence of the aforementioned networks that aided Hydra's growth into the largest dark web market, its collapse is far from assured.

Criminals Conducting Various Cash-Out Pivots

Peer to Peer Cryptocurrency Exchange

The direct exchange of an item, such as a digital currency, between individual parties without the intervention of a central authority is referred to as peer-to-peer. Even before the invasion, compromised or specially set up accounts at these exchanges were utilized in cryptocurrency laundering activities. The function of P2P exchanges in these transactions might also be to conceal the origin of the funds, and the monies could subsequently be transferred to risky exchanges that do business in Russia or even huge exchanges like Binance.

Traditional Bank Transactions

Because not every Russian bank is currently subject to international sanctions that prevent access to the SWIFT financial communication system, funds can still be transferred to specific Russian banks from Western financial institutions, even if certain threat actors may find it difficult to rebuild an existing cash-out network. Another solution is to make payments through banks in third-party countries that have not joined the restrictions against Russian institutions, such as Armenia, Vietnam, or China.


UnionPay, a Chinese payment system, has emerged as a viable alternative to Western-based credit card firms that have ceased operations in Russia, while recent reports indicate that the Chinese system is apprehensive about partnering with Russian banks. While Western-based cards issued before the sanctions will continue to function, cash-out systems that rely on issuing new cards may switch to UnionPay cards if available.

Prepared To Stay Lowkey

Because financial transactions to Russia are becoming more complicated, and there is concern about an impending crackdown on Russian-linked accounts via cryptocurrency exchanges, some threat actors have suggested using "cold" wallets (wallets that are not connected to the internet) and even gold to store value for a longer period of time.

Criminals Are Not the Only Ones Trying to Evade Sanctions

Despite Putin's claims and the Kremlin's economic statistics, business withdrawals and sanctions implemented in reaction to President Vladimir Putin's unjust attack on Ukraine are severely damaging Russia's economy, resulting in Russia attempting to enforce new ways to reduce these damages.

A Treasury official told senators that Russian President Vladimir Putin might use cryptocurrency to avoid the US and foreign sanctions imposed on the Kremlin for its unjustified invasion of Ukraine.

"Yes, senator," responded Elizabeth Rosenberg, Treasury's assistant secretary for Terrorist Financing and Financial Crimes, when asked if digital assets might be used to avoid sanctions by Sen. Elizabeth Warren, D-Mass.

The Treasury Department has previously identified Russian firms seeking to avoid sanctions by using cryptocurrency. In September, Russia identified 22 individuals and two companies, including a neo-Nazi paramilitary group, for assisting Russia in digitally financing the war on Ukraine.

In April, the agency, along with oligarch Konstantin Malofeyev, privately held commercial bank Public Joint Stock Company Transkapitalbank, and 40 other individuals and companies led by Malofeyev, targeted a virtual currency mining agency for the first time.

That month, Russia-based Darknet Market Hydra and Garantex, a virtual currency exchange, were both sanctioned, partly to close loopholes for prospective sanctions evasion.

Russia Developed Its Own Digital Currency

The US authorities restricted access to all of their assets domiciled in the US or held by someone residing in the US. Treasury also prohibited transactions between sanctioned individuals and anybody in the United States.

However, Russia created its own digital currency in February with the aim of trading directly with nations that will take payments without first converting them to dollars. Because crypto exchanges may be monitored on the underlying blockchain, the country also created mechanisms to hide the source of transactions.

Rosenberg verified that technology that increases anonymity and other techniques used to conceal digital transactions might interfere with sanctions enforcement. Treasury imposed the first-ever sanctions on these "mixers" in May, and another, "Tornado Cash," was sanctioned in August. 


You Might Also Like