{
	"id": "2cac64bf-4b48-4b9d-b87b-ec9ae03471d8",
	"created_at": "2026-04-06T00:12:53.578907Z",
	"updated_at": "2026-04-10T03:19:56.981711Z",
	"deleted_at": null,
	"sha1_hash": "3c6d3ed16e8489d2fc27c94d2470a02de6e61bed",
	"title": "How the Russia-Ukraine conflict is impacting cybercrime",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37833,
	"plain_text": "How the Russia-Ukraine conflict is impacting cybercrime\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:32:35 UTC\r\nIntel 471 has been monitoring how the ongoing tension between Russia and Ukraine is impacting the cybercrime\r\nunderground. While financially-motivated actors have yet to show their inclination to leverage the conflict for\r\npersonal gain, the recent change of course from Russian law enforcement in the form of arrests and takedowns\r\nshow that the country will leverage the underground for diplomatic advantage in the same way it does for its\r\nintelligence purposes.\r\nWhile there have been cyberattacks on Ukrainian entities over the past month, Intel 471 has not observed any\r\nevidence that these attacks have been carried out by financially-motivated actors. An attack carried out in January,\r\nin which Ukrainian websites were defaced as a cover to launch destructive malware known as WhisperGate, has\r\nnot attracted much attention from underground actors. Of the discussions we observed, a low volume of actors\r\nelaborated on how the attacks were committed and spoke on what they believed to be weaknesses in Ukrainian\r\ncritical infrastructure. The lack of discussion fits the methodology of financially-motivated actors: attacks like\r\nWhisperGate are difficult to monetize. Additionally, a good portion of these forums are pro-Russian in nature,\r\nwith forum moderators frequently discouraging or outright banning discussion threads that discuss politics.\r\nAside from the attack mentioned above, we also observed a small concentration of advertisements and offers\r\nrelated to data tied to Ukrainian government organizations. While the timing of the offers might suggest the actors\r\nused the current Russia-Ukraine tensions as a motivator, or perhaps nation-state affiliated actors were at the helm\r\nin some way, we assess these reasons were likely not the case. This assessment comes as the volume of Ukrainian\r\ngovernment data mirrors other instances we’ve observed over the past five years, when geopolitical tensions were\r\ncalm.\r\nConversely, there has been a lot of action in the form of Russian law enforcement arresting various alleged\r\ncybercriminals over the past three months. Most recently, three underground stores trading in compromised\r\npayment card data – Ferum shop, Trump Dumps and UAS Shop – along with the Sky Fraud forum went offline,\r\nwith a note indicating they allegedly were seized by Russia’s Ministry of Internal Affairs (MVD). Later the same\r\nday, the Russian TASS press agency reported six individuals were arrested in Russia on cybercrime charges.\r\nWhile it’s unclear how everyone arrested is tied to the affected forums, one of those men — Andrey Novak — has\r\nbeen linked to UNICC, another carding forum that “closed” last month. Novak was also among those charged in\r\nabsentia in 2018 by the U.S. Department of Justice for allegedly working with notorious malware and carding\r\nforum Infraud.\r\nThese arrests, combined with the actions taken against the REvil ransomware gang, are an unprecedented\r\ndevelopment in how Russian law enforcement deals with cybercriminals within its own borders. For decades,\r\nRussia has been extremely lenient with cybercriminals that have shown ties to Russia and a modus operandi of\r\ntargeting countries that don’t belong to the Commonwealth of Independent States (CIS), an intergovernmental\r\nhttps://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground\r\nPage 1 of 2\n\norganization which includes Russia and former Soviet states. Cybercriminals have long developed their\r\ntechniques, tactics, and procedures (TTPs) in order to purposely avoid targeting CIS countries and businesses that\r\noperate within them, while forum admins and other organized groups have banned any activity aimed at these\r\ncountries.\r\nIt is possible that the Russian administration has authorized these law enforcement actions as a diplomatic gesture\r\nto Western governments, given that Russia’s domestic security agency, the Federal Security Service (FSB), has\r\npublicly said some of the arrests were conducted in conjunction with U.S. law enforcement. Russia’s desire to\r\npublicize these actions through domestic and international mainstream outlets and social media platforms suggests\r\nthe administration is pushing a message of cooperation and resolution. Should tensions cool between Ukraine and\r\nRussia, we assess it is possible that Russian law enforcement will return to status quo leniency for these\r\ncybercriminals. Until then, Russian-based threat actors could see their country’s law enforcement’s recent actions\r\nas a deterrent to conducting cybercrime activities, which would prove a worthy cause benefiting organizations\r\naround the world.\r\nIt’s also likely that as the situation progresses, advantageous financially-motivated threat actors may seek to target\r\nentities in Ukraine that may be more vulnerable due to understaffed organizations or overburdened network\r\ninfrastructure. Criminal actors may seek to purchase access credentials, personally identifiable information (PII)\r\nor intellectual property to capitalize on the distractions, and financially motivated actors could act as suppliers to\r\nfill that gap.\r\nIntel 471 will continue to monitor, analyze and report on the underground response as the Russia-Ukraine conflict\r\ndevelops.\r\nSource: https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground\r\nhttps://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground"
	],
	"report_names": [
		"russia-ukraine-conflict-cybercrime-underground"
	],
	"threat_actors": [],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c6d3ed16e8489d2fc27c94d2470a02de6e61bed.pdf",
		"text": "https://archive.orkl.eu/3c6d3ed16e8489d2fc27c94d2470a02de6e61bed.txt",
		"img": "https://archive.orkl.eu/3c6d3ed16e8489d2fc27c94d2470a02de6e61bed.jpg"
	}
}