Russian cybercrime underground: doing “business” in plain sight

The Russian Mafia is a long-standing media staple in the West, portrayed with many myths, but reality is possibly surpassing all of them.

The Russian Mafia is a long-standing media staple in the West, portrayed with many myths, but reality is possibly surpassing all of them. Russian cybercrime appears to be a formidable adversary for the cybersecurity industry, and a huge problem for businesses and individuals worldwide. Meet Securelist’s new fundamental research: Russian financial cybercrime: how it works.

A matter of communication

It’s important to note that “Russian” means “Russian-speaking”, not specifically “originating from Russian Federation”: Russian language is actively used throughout many post-Soviet republics, but the Russian-language cybercrime market predominantly consists of citizens of Russia, Ukraine, and the Baltic states.

Securelist says this cybercrime market is well known throughout the world. First, because of frequent media coverage. The second reason Securelist describes as “the open accessibility of online platforms used by the cybercriminal community for communications, promoting a variety of “services” and “products” and discussing their quality and methods of application, if not for making actual deals.”

In other words, a large number of cybercriminals do their illicit business in the plain sight, then go on to commit financial attacks of various scales and sophistication.

Damage estimates

Between 2012 and 2015, law enforcement agencies from a number of different countries, including the United States, Russia, Belarus, Ukraine, and the EU arrested over 160 Russian-speaking cybercriminals, members of various criminal groups. All of those arrested were suspected of being engaged in stealing money using malware; the total estimated damage resulting from their worldwide activity exceeded $790 million. $509 million had been stolen outside the borders of the former Soviet Union. And these are only confirmed losses, the details of which, Securelist says, were obtained by law enforcement authorities during the investigation. In fact, the damage might have been much larger.

Despite this formidable number of arrests the “market” is still crowded and very much active.

According to Kaspersky Lab experts, over the last three years Russian-language cybercrime has recruited up to a thousand people. These include people involved in the creation of infrastructure, and writing and distributing malware code to steal money, as well as those who either stole or cashed the stolen money.

According to Kaspersky Lab’s Computer Incidents Investigation Department, there are at least five major cybercriminal groups specializing in financial crimes which have been monitored over the last few years. All of them include 10 to 40 people. At the same time, there are about 20 “core professionals” who play leading roles in criminal activities that involve the online theft of money and information across the entire cybercriminal underground. So much damage from so few people.

Business activities

All in all, cybercrime IS a business, operating by the same patterns – by offering “products” and “services”, for instance; following the same logic – maximizing ROI, etc.  It is totally illicit and very damaging, but it is built on the same principles. Cybercrime groups almost openly hire codewriters and system administrators, just like normal businesses. Programmers create and modify malware, while admins perform tasks almost identical to their legit counterpart: implementing the IT infrastructure and maintaining it in working condition.

“Cybercriminal system administrators configure management servers, buy abuse-resistant hostings for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks”, Securelist wrote.

Cybercriminals also offer a number of the following “products” and “services” to each other and third parties. Here are primary offerings, highlighted by the Kaspersky Lab researchers:


  • Software designed to gain unauthorized access to a computer or a mobile device in order to steal data from an infected device or money from a victim’s account (the Trojans);
  • Software designed to take advantage of vulnerabilities in the software installed on a victim’s computer (exploits);
  • Databases of stolen credit card data and other valuable information;
  • Internet traffic (a certain number of visits to a customer-selected site by users with a specific profile.)


  • Spam distribution;
  • Organization of DDoS attacks (overloading sites with requests in order to make them unavailable to legitimate users);
  • Testing malware for antivirus detection;
  • “Packing” of malware (changing malicious software with the help of special software (packers) so that it is not detected by antivirus software);
  • Renting out exploit packs;
  • Renting out dedicated servers;
  • VPN (providing anonymous access to web resources, protection of the data exchange);
  • Renting out abuse-resistant hosting (hosting that does not respond to complaints about malicious content, and therefore does not disable the server);
  • Renting out botnets;
  • Evaluation of the stolen credit card data;
  • Services to validate the data (fake calls, fake document scans);
  • Promotion of malicious and advertising sites in search results (Black SEO);
  • Mediation of transactions for the acquisition of “products” and “services”;
  • Withdrawal of money and cashing.

Altogether these “products” and “services” are bought and sold in various combinations to enable the following types of crime:

  • DDoS attacks (ordered or carried out for the purpose of extortion);
  • Theft of personal information and data to access e-money (for the purpose of resale or money theft);
  • Theft of money from the accounts of banks or other organizations;
  • Domestic or corporate espionage;
  • Blocking access to data on the infected computer for the purpose of extortion.

Clearly, most of these are business-targeting threats. And this is a very different level of peril, compared to hacking individuals, just as organized crime is more dangerous than random thugs going around solo.

To raise your awareness on Russian cybercrime, kindly proceed to Securelist’s article.