Chapter I. The origins of the Russian language cybercriminal ecosystem and the current cybercriminal forums landscape
Insights of the first Chapter:
· RLCF can be classified into 6 categories containing both generalist forums, where a great variety of different illicit activities can be found, and communities that specialize in a particular segment of cybercrime.
· Out of 207 identified RLCF only 94 are active at varying levels. As it was the case 10 years ago, the number of highly active RLCF is stable at around 22 forums, although the nature and types of illegal activities have somewhat evolved.
· The Russian language cybercriminal ecosystem is rather well structured and stable with some old prominent forums occupying a key place in their own category. Overall, the technically advanced forums represent a minority and gather small but active communities.
· An exception is the drug-selling cybercriminal ecosystem who still did not stabilize after the closure of the “Hydra” marketplace. Rivalry and competition are predominant among the RLCF specialized in the trade of drugs. It is currently the most unstable category as new forums are often appearing and threatening to dethrone the current leaders.
The origins of the Russian language cybercriminal ecosystem and forums
Our story about cybercrime in the Russian-speaking part of the world begins in 1983 in the USSR. This year the title of the first known hacker and cybercriminal of the Soviet Union was awarded to Mr. Murat Utrembaev, a young worker of the car manufacturing giant AvtoVAZ. This Soviet citizen was a talented ethnic Kazakh from modest origins who managed to study mathematics in Moscow at the prestigious Moscow StateUniversity. Unfortunately for him, instead of pursuing a brilliant scientific career he was promised, Mr. Utrembaev was forced by the Soviet student repartition system to work as a second-class technical support employee atAvtoVAZ in the city of Tolyatti on the Volga.
Mr. Utrembaev perceived his situation as particularly unfair, as unlike his wealthier and well-connected Muscovite peers, he was unable to bribe his way into a desirable job. Instead, he found himself performing tasks for which he was overqualified. Despite working diligently and seeking recognition, he was left disappointed when the honorific diploma promised by his superiors never materialized. Frustrated by what he saw as a blatant disregard for his efforts,Mr. Utrembaev decided to retaliate by targeting the factory's computer system that controlled the entire car assembly line.
The young man executed his revenge by introducing a diskette with a specially programmed “update” for the factory’s assembly line control software. This act of cyber sabotage effectively halted the production of cars for three days, resulting in significant financial losses for AvtoVAZ, measured in millions of rubles. It took the factory's other programmers a substantial effort and time to identify and rectify the issue caused by Mr. Utrembaev's intervention.
Out of guilt and due to the pressure from law enforcement agents and the factory’s management, Mr. Utrembaev decided to denounce himself and was only sentenced to partially compensate the damage he caused and to conditional imprisonment under the article “For Hooliganism”. Anecdotally, this hack also helped AvtoVAZ’s directors to uncover other malicious activity that was conducted by the factory’s programmers. Some of them created and then solved problems they injected into the code to obtain the payment of bonuses.
Interestingly, the outcome of this story brings to light several significant points that are important for readers to consider. These points give indeed a hint at the preconditions that allowed to the Russian language ecosystem to appear and develop.
Firstly, it is useful to underscore the unpreparedness of the Soviet legal system to tackle cybercrime, a challenge that was not unique to the USSR and its successor states. This phenomenon reflects a broader truth: in all societies and areas of human activity, legal frameworks tend to be reactive rather than proactive. Lawmakers are constantly challenged to update regulations in response to emerging trends and the misuse of new technologies. Recent examples of this include the advent of cryptocurrencies, the scrapping of social networks and the last developments in generative artificial intelligence.
Furthermore, Mr. Utrembaev’s case highlights the linguistic, political and ethnic particularities that are specific to the former Soviet area: a Russian speakeris not necessarily Russian. Indeed, the Russian language is widespread in the former Soviet republics because of the Russification policy that was enforced by the Russian Empire and later by the Soviet leadership. This may seem quite obvious but the confusion between spoken language, political identity, citizenship and ethnicity is so widespread when media talk about “Russian hackers”, that we felt it is useful to underscore this point. To conclude this aside, the only thing that can be deduced from the use of Russian language by a threat actor is that he is probably, but not necessarily, from the formerSoviet Union. The downfall of the USSR provoked a massive exodus of Russian speakers to countries like Israel or the United States, which somewhat complexifies the identification of Russian-speaking cybercriminals. In June 2023, the arrest in the United States of Mr. Ruslan Astamirov, a Russian citizen from Chechenia, for his involvement in deploying the LockBit ransomware, is a fresh example of some of the most confusing cases involvingRussian-speaking cybercriminals.
Lastly, the motives of cybercrime can be diverse, ranging from an act of revenge, as it was for Mr. Utrembaev, to the lure of profits like it was the case for some of the AvtoVAZ’s programmers who hacked their own company to get bonuses for solving the problems they created. The lack of professionally rewarding and well-paid opportunities was also a precondition that enticed Mr. Utrembaev to act the way he did. The downfall of the USSR confronted a significant quantity of technically qualified individuals to complex economic and personal situations, which sometimes corrupted them.
The collapse of the USSR in December 1991 fostered a deep economic and sociopolitical reconfiguration in the former Soviet satellites and particularly in the 15 newborn republics. For the citizens of these States, the 90s were characterized by high levels of poverty, unemployment, corruption, legal loopholes but also by freedom and, for a minority, by previously unseen enrichment opportunities. Technological innovations, such as the swift deployment of the Internet, allowed for instance the development of online banking and new ways of social interactions like online forums. Hacking in the former Soviet Union became a popular thematic among the technically educated population and children eager to learn by reading one of the most famous Russian hacking magazines called “Haker” (see xaker.ru). These new opportunities were rapidly hijacked by immoral but technically literate individuals like Mr. Vladimir Levin, a micro biologist from St. Petersburg, who was able to steal 10 million dollars from the AmericanCitibank in 1994. Though Mr. Levin was arrested and imprisoned for three years, 400,000 dollars were never found.
The lack of dissuasive legal sanctions strengthened the perception of impunity and omnipotence felt by Russian-speaking cybercriminals because they were able to strike anywhere in the world, where a computer system was connected to theInternet. We would like to note that the particularity of life in the SovietUnion, and afterwards in new republics during the complicated 90s, produced a subculture of permanent survival for a part of the population who often faced rationing and poverty. This encouraged a minority of these individuals to distrust anything linked to the administration and disregard laws. Mixed to the remnants of Marxist ideology, and perverted patriotism, it became acceptable for some to steal from the “rich” or from the “bourgeois” (name given to westerners). The main rule of the most capable Russian-speaking cybercriminals was, and still is, to avoid attacking the countries that compose the Community of Independent States (CIS). This code of conduct is sometimes motivated by“patriotic” concepts but also by a rational calculus: avoid attracting the attention of the local law enforcement.
The genesis of the first Russian language cybercriminal forums - A permanently moving and adapting ecosystem
The subsequent low risk – high reward situation led to the apparition of the firstRussian-language cybercrime organizations, and forums specialized in carding. This malicious craft is a form of credit card fraud in which a stolen credit card is used to charge prepaid cards or purchase goods. Websites like the “Boa Factory”or the forum “CarderPlanet”, created among others by the Ukrainian hackersRoman Vega and Dmitry Golubov , were popular places for buying and selling virtually all assets produced by financially motivated online criminal activity in the beginning of the 2000s.The apotheosis of impunity was undoubtedly met when around 40 cybercriminals from the “CarderPlanet” forum organized in 2002, the first ''World Carders''conference in the city of Odessa in Ukraine .
During the first years of the new century Russian-speaking cybercriminals began congregating on various forums such as Antichat (2002), DaMaGeLaB (2004), WASM(2004) or Arbitraj Foum (2004). These platforms serve to this day as hubs for hackers to conduct business, recruit new members, improve skills and learn, all while allowing their member to maintain a degree of anonymity. The later became gradually a crucial aspect of RLCF operations, as over time cybercrime risks escalated even in the post-Soviet States. To enhance privacy, the most sophisticated RLCF began creating Onion mirrors, making them accessible through the Tor network, and claimed that they stopped logging members' IP addresses.
From its inception, this digital ecosystem has continuously evolved and adapted to new lucrative activities like carding, probiv, malware as a service, and the trading of illegal products such as drugs. The Russian-speaking cybercriminal community has been a pioneer in the cybercriminal field and its adaptivity allows it to remain a robust ecosystem to this day. The advancement of technology and various geopolitical developments have nevertheless significantly influenced this ecosystem, leading to its transformation. Like any social group, RLCF have undergone changes overtime, with some forums disappearing or losing popularity.
In recent years, Russian language and other global cybercrime forums have faced various challenges affecting their growth. Between2018 and 2020, a series of confirmed and suspected security breaches impacted several well-known Russian RLCF including Exploit and BHF. These incidents adversely influenced the users' trust in the forums' safety and anonymity. Following these events, persistent rumors circulated about the possible control of major RLCF by Russian or Ukrainian intelligence agencies.These speculations frequently resurface, causing unrest among the members of forums like XSS, Exploit and RAMP.
At the same time, the expansion of Telegram's user base, which soared to 700 million monthly active users in 2023, along with its open API system and flexibility, motivated many cybercriminals to adopt this instant messaging platform. The near-total impunity experienced within Telegram's environment made it an attractive alternative or a supplementary tool to traditional forums for these cybercriminals.
In parallel, global geopolitical shifts have also left their mark on RLCF. The thaw in relations between Belarus and the West from 2015 to 2020, for instance, paved the way for cooperation between Belarusian law enforcement and the U.S. Federal Bureau of Investigation (FBI). Such collaborations have borne fruit, as seen in the arrest of"Ar3s," a key figure in the Andromeda Trojan group and an administrator of the RLCF "XSS," previously known as"DaMaGeLaB". The onset of the Russian-Ukrainian conflict in February 2022 has introduced fresh geopolitical tensions, had already an intriguing impact on theRLCF landscape.
Reflecting on the inception of this research just a year ago, the sheer pace and scale of change within RLCFs and their communities have been staggering. In the past year alone, 17 RLCF have been shuttered or abandoned. At least 15 have had to relocate their domains following seizures by law enforcement. An entertaining instance is the rise and fall of the hacktivist forum "Infinity," created by leaders of the pro-Russian hacktivist group Killnet. This forum's lifecycle- launching at the end of 2022, closing in the spring of 2023, reopening inSeptember 2023, and then being deserted once again - exemplifies the fluidity that is intrinsic to the nature of RLCF and emblematic of the cybercriminal ecosystem as a whole.
Methodological notes and foreword
This first Chapter will mainly talk about RLCF and try to present an exhaustive analysis of the current landscape, nevertheless, forums allowing the topics related to the sale of weapons and illicit pornographic content are not covered. Furthermore, private internal chats, such as the one that existed in the Conti ransomware gang, or private TOX and Jabber communications, are also out of the scope of this research. The same limit applies to Russian language market places as they are not truly places where threat actors communicate, but rather purchase different goods or services.
Our focus on RLCF does not imply that Russian is the sole language that is spoken on these forums. During this investigation we considered that a forum can be labeled a RLCF if Russian is the main spoken language on it, or if the administrators are Russian-speaking threat actors. Presently, the popularity of the Russian language cybercriminal ecosystem magnetizes threat actors from all around the world. This materializes either by the creation of specific English language sections or by the acceptance of the publication of messages inEnglish everywhere. Rare cases of RLCF allowing as well as other languages likeChinese were also observed.
2024 landscape of the RLCF ecosystem
In 2024 the Russian language cybercriminal ecosystem is composed of at least 113 inactive and 94 forums active to a different level.
A glance at the current situation: RLCF typology, creation date and level of activity
Mapping these RLCF implies the need to properly categorize them to facilitate our analysis. To accomplish this task, we have established six categories that represent the primary focus of the forums within the ecosystem. These categories are not ideal and are not meant to encapsulate every activity occurring on each forum; rather, they provide a general sense of the forum's main area of specialization. For example, while many RLCF feature sections on carding, this does not necessarily mean that their central activity is focused on the theft and misuse of banking details. Therefore, these categories should be viewed as archetypes that assist in understanding and evaluating the ecosystem.
Classification of the identified RLCF
- Cybercrime: this category encompasses generalist forums that provide a large range of services and knowledge related to cybersecurity and computer literacy. Typical cybercrime forums are for instance “Exploit” or “XSS”. A threat actor can find there, among other things, topics covering network security, malware and buy access to corporate networks. These communities avoid selling any illicit substances such as drugs or weapons.
Several subcategories can be established:
o Data Leak: RLCF specialize in the sale and dissemination of stolen data belonging to companies or to individuals. "No hide" is one of the most active forums from this group.
o Ransomware: this subcategory is based on only one forum, but its uniqueness deserves attention. The RLCF “RAMP” was created in 2021 at a moment when other cybercriminal Russian-language forums decided to ban any topics related to ransomware after the Colonial Pipeline attack. Though ransomware gangs are de facto tolerated again on RLCF, “RAMP” is a gathering place for threat actors involved in this activity.
- Carding: as the name explicitly suggests, these forums are mostly specialized on credit card fraud where stolen credit cards and banking data are used to purchase prepaid cards or goods that are easy to resell. Other financial fraud technic and tools can be found there. A good example of a RLCF from this category is “WWH-Club”.
- Programming: most popular Russian-language forums that focus on programming languages and computer literacy are generally benign places. For this study, we selected only the forums that allow their members to develop malicious code and discuss malware openly. “WASM” is one of the most famous and emblematic programming RLCF, but as many other forums from this category it is almost inactive.
- Fraud: RLCF that are incorporated in this category are focusing on all fraud schemes that usually require a computer or a phone. Technics such as fake document creation, money laundering, social engineering and marginally malware distribution are debated on forums like “Center Club”, “Darkmoney” or “Dublikat”.
o Lookups (Probiv): forums are probably one of the most CIS specific types of cybercriminal communities. Their members are selling databases containing personally identifiable information on individuals mostly living in the former Soviet Union area. An emblematic service that is sold on a RLCF called“Probiv” is the gathering of all available information about a person or a company. Usually this implies the purchase of private databases or the hiring of an insider from the State administration or a phone company.
o Fake documents: communities like “Dublikat” are somewhat comparable toFraud/Cybercrime RLCF but are specifically focused on the creation of fake documents.
o Financial Services: “Darkmoney” offers a concentration of services related to money laundering and financial fraud.
- Drugs: this type ofRLCF is focused on the promotion and trade of drugs. Customers can find information about sellers and means to exchange their money for cryptocurrencies. “RuTor”, “WayAway” and “Pasaremos” are good examples of such forums.
- Other/Cybercrime:communities specialized in discussions about video games, teenager life, or information technology. Their particularity resides in the fact that topics related to cybercrime are tolerated on their pages. Although, subjects associated with cybercrime are not the core subject of “LolzTeam”, this forum is an important place for threat actors specializing in infostealers distribution.
Levels of activity and creation dates of RLCF
To measure the activity levels of each forum, we assessed the average number of messages posted per day as a benchmark. Forums where the daily message count averages between 1 and 20 were classified in the "Low" activity group. Those with a daily message average ranging from 20 to 100 were considered to have "Average" activity. Finally, forums with a daily message count exceeding 100 were labeled as having "High" activity.
Global observations and trends
The inauguration dates and activity metrics of RLCF highlight noteworthy patterns within the cybercriminal landscape. Among the RLCF that are still active nowadays, only 20 were launched during the first ten years of the century, which highlights the high attrition rate among RLCF but also the durability of some key communities. A second cohort of presently active RLCF was established between 2010 and 2020, with a notable surge of new forums from 2014 to 2016. This period accounts for the creation of 54 RLCF that maintain activity today.
Carding – as one of the oldest cybercriminal craft – is a good illustration of how evolution in popularity and profitability of a particular cybercriminal craft can affect the whole ecosystem itself. A significant proportion, 15 out of 20 RLCF dedicated to carding, commenced operations between 2010 and 2020, reflecting sustained interest in this illicit activity. Nonetheless, the proliferation of carding sections within Cybercrime, Fraud, and even Drugs forums have intensified competition for an active user base. In recent times, numerous carding focusedRLCF have shuttered or fallen into disuse, with 9 currently exhibiting low activity. The enduring presence of carding forums, despite the migration of their participants to Telegram, can be partly attributed to the lower barrier to entry in this illicit trade, which does not always necessitate sophisticated technical skills.
The rise of ransomware as a dominant threat to enterprises, particularly post-COVID pandemic, has concurrently become a profitable venture for cybercriminals. RLCF such as XSS and Exploit are recognized as hubs for ransomware operators and initial access vendors. Following the Colonial Pipeline cyberattack in 2021, leading RLCF temporarily prohibited discussions related to ransomware—a strategic deception. This environment encouraged the notorious ransomware operator, Mikhail Matveev, known as "wazawaka," to establish "RAMP" (Ransomware Anonymous Market Place – not to confound with the famous Drugs forum named Russian Anonymous Marketplace, which was closed in 2017), a forum dedicated to ransomware activities. Despite initial traction, RAMP's growth has been hampered by the erratic conduct of its founder. Its activity level gradually increased since the transfer of owner ship to the threat actor Stallman in 2022, but it is still trailing behind forums like XSS or Exploit. This suggests that ransomware, though it is one of the biggest cybersecurity threats, cannot gather a huge community only by itself and remains a specialized subset within the wider cybercriminal milieu.
Al though apparently not directly linked to hacking, Drugs RLCF are gigantic cash generating machines who have their own money laundering system that is used by other cybercriminals, including the ransomware business. One of these platforms was the Russian language marketplace “Hydra” closed by German authorities inApril 2022. Since then, 8 new Drugs RLCF were launched, which illustrates the dynamism of the ongoing competition between drug dealers targeting the CIS market. After the closure of the marketplace “Hydra”, RLCF like RuTor, Legalizer, and WayAway saw a surge in registrations, accruing between 160,000 to 300,000 new accounts each. On the other hand, the Russian invasion of Ukraine had a negative impact in the Drugs RLCF targeting the Ukrainian market. The Drugs forum Legalizer who is focusing on the Ukrainian market has seen the number of its users sharply drop in 2023.
Lightly active RLCF –forums on the decline and new communities
The majority of lightly active RLCF are rather old Cybercrime, Drugs, and Carding communities. Generalist forums such as “Prologic” or “Xaker” that were launched respectively in 2006 and 2007 are almost abandoned. A similar fate of relative decline can be witnessed on several old Carding forums. RLCF from this category like the forums “Carding forum” or “Monza” which were created in 2009 and 2012, went offline during 2023.
In the Drugs category 10 RLCF are lightly active. This is either explained by the fact that they appeared recently, like for example the forum Solaris, who is linked to a drugs marketplace of the same name, or because they are old but dying projects such as the RLCF “SKP”, thereby their future is hard to predict.As an example, the drugs RLCF “DeepRC” was launched in 2022 but did not survive. Further observation is needed to assess the viability of those forums.
In the case of Programing RLCF the assessment is easier to make as all the 7 forums that are dedicated to malware development are nowadays almost inactive.Their communities were absorbed by generalist Cybercrime forums where topics connected to malware development and programming are commonplace. Forums such as “WASM”, were particularly interesting to follow at a period of higher activity because several moderators of “XSS” and Exploit have started their cybercriminal activities there. Interestingly, the “R0”forum migrated to its own Telegram channel, but the latter is also not very active lately. The creation of the forum “RootZone” is nevertheless an interesting development that can be considered as a risky investment considering the fate of other communities in this category.
Moderately active RLCF – at a crossroad
The group of RLCF with a daily message count ranging on average between 20 and 100 messages are mainly composed of Cybercrime and Carding communities. Moderately active RLCFare nevertheless way more important for the cybercriminal ecosystem than the declining or new forums. This group includes forums that are often at across road as they were in the past either popular forums or are new forums that are on the rise.
The famous generalist forum “Antichat”, launched in 2002, and the Carding forum“Verified”, created in 2005, were both at some point very trendy and attracted an extensive cybercriminal community, but lately their popularity is declining.It is hard to assess if they will grow again or fade into insignificance. Meanwhile, new communities such as “Antimigalki”, “DeepWeb” or “Lozerix” have managed to attract several thousands of users and could become important congregation places in the future if they maintain the current ascending trend.
Highly active RLCF – the core of the Russian language cybercriminal world
Finally, let us have a look at the highly active RLCF, it appears that they are mainly composed of communities focusing on Fraud, the sale of Drugs and gaming forums allowing cybercriminal activity. These groups encompass specialized forums offering illicit financial services, lookup services, creation of fake documents, and of course, various drugs. Successful forums from both categories were mainly launched in the last ten years.
On the contrary, the most prominent forums of the Cybercrime category are old. “XSS” (initially named DaMaGeLaB) and “Exploit” were created respectively in 2004 and 2005, while the less famous but still popular RLCF “BDF Club” was created in 2017.Thereby, the high-level Russian-speaking hacking community involved in ransomware attacks, advanced malware development and vulnerability identification is to a certain extent concentrated around a small number of reputable forums.
Nevertheless, as we are going to see in the Chapter III, RLCF with less advanced communities, like “LolzTeam”,from the Other/Cybercrime category, are playing a crucial role in theRussian-language cybercriminal ecosystem as they gather huge communities of youngling who get familiarized with hacking and illicit activities by, for instance, joining traffers teams.
We hope you have enjoyed this first Chapter and are eager for more in the next one!
This blog post is also available on our cyber analyst's website - cybercrimediaries.com.
 Max Goncharov, “Russian Underground2.0,” n.d.
 “Отомстил за унижения:ветеран следствия рассказала, как ловили первого хакера СССР,” accessedDecember 28, 2023, bloknot-samara.ru/news/otomstil-za-unizheniya-veteran-sledstviya-rasskaza-1500195.
 “Office of Public Affairs |Russian National Arrested and Charged with Conspiring to Commit LockBitRansomware Attacks Against U.S. and Foreign Businesses | United StatesDepartment of Justice,” June 15, 2023, https://www.justice.gov/opa/pr/russian-national-arrested-and-charged-conspiring-commit-lockbit-ransomware-attacks-against-us.
 “The World Of Russian,”RadioFreeEurope/RadioLiberty, June 6, 2019, https://www.rferl.org/a/the-world-of-russian/29984902.html.
 Lucie Kadlecová,‘Russian-language Cyber Crime: Reasons behind Its Success’, n.d.
 Amy Harmon, “Hacking Theft of$10 Million From Citibank Revealed,” Los Angeles Times, August 19, 1995, https://www.latimes.com/archives/la-xpm-1995-08-19-fi-36656-story.html.
 Diasp, “Вне закона: самые известныекардеры,” Diasp.pro - Арбитраж Трафика и Заработок в Интернете, December 6,2021, diasp.pro/vne-zakona-samye-izvestnye-kardery.
 Matt Richtel, “CREDIT CARD THEFT IS THRIVING ONLINE AS GLOBAL MARKET,” The New York Times, May 13, 2002, sec. Business, https://www.nytimes.com/2002/05/13/business/credit-card-theft-is-thriving-online-as-global-market.html.
 Probiv is a typeof service provided by threat actors specialized in gathering personal data about their targets. Probiv service providers offer to try to find the information about their targets from open sources and from stolen private and governmental databases.
 “Интересно - Cлив exploit,” UfoLabs -Лаборатория нло, July 19, 2019, ufolabs.net/threads/cliv-exploit.6198.
 “BHF Взломали,”Информационный портал DARK2WEB, September 9, 2020, dark2web.org/threads/126993.
 “Freedom Fox - Форум Exploit.in Был Продан СБУ,” XSS.is (ex DaMaGeLaB), accessed November 29, 2022, xss.is/threads/74967.
 Ash Turner, “How Many UsersDoes Telegram Have? (Dec 2023),” April 1, 2023, https://www.bankmycell.com/blog/number-of-telegram-users/.
 ‘MastermindBehind Andromeda Botnet Arrested in Belarus’, accessed 16 April 2023, https://www.recordedfuture.com/ar3s-behind-andromeda.
 “What Is an“info-Stealer"? (Part Ⅰ),” InfoStealers (blog), accessed December 30, 2023, https://www.infostealers.com/article/what-are-info-stealers/.
 “The Attack on ColonialPipeline: What We’ve Learned & What We’ve Done Over the Past Two Years |CISA,” May 7, 2023, https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years.
 “Sanctions on Darknet Marketand Ransomware-Enabling Virtual Currency Exchange,” United States Department of State (blog), accessed December 30, 2023, https://www.state.gov/sanctions-on-darknet-market-and-ransomware-enabling-virtual-currency-exchange/.
 “Resecurity | Dark Web Markets Competefor the Drug Trafficking and Illegal Pharmacy Monopoly,” accessed February 20,2023, https://www.resecurity.com/blog/article/dark-web-markets-compete-drug-trafficking-illegal-pharmacy-monopoly.