[DarkWeb Insights] The Digital "Thief War"​: How COVID-19 Pandemic Triggered a Generational Conflict

Updated: Oct 7, 2021

In the criminal underground, the generational divide is can become more dramatic than in any other social niche. The fight between old “traditional” crime elites and reckless newcomers is a classic plot for a crime drama. The Russian organized crime has been going through this drama for decades, diving into an existential violent fight. In the 90-th this fight was referred to as “The Thief War” and in 2010-th the rivalry of the old and new reached the digital underground. The power and value of those who adhere to an obsolete strict criminal code are now contested by the nihilism and brutal efficiency of the newer generation. Naturally, with the grim times of the Pandemic, the smoldering fight for power becomes more overt. Paradoxically, this fight can make the industries affected by the Pandemic more secure. 

For over a decade, the Russian cybercrime “Old Guard” possessed undisputed authority being the arbiters and judges of the underground forums - the heart of the virtual underground. They were the pioneers who came to the new domain back in the early 2000-th. In the turbulent times, they perceived themselves as economic insurgents, partisans, willing to challenge the rules of the global market, imposed on their post-soviet lives. They had a strict code of conduct centered around whitelisting of certain areas, victims, and jurisdictions, and they approached hacking as a form of highly weaponized creativity or a kind of militarized artistry.

The new generation emerging in the second decade of the new millennium was less romantic about their craft. These people prioritized revenue and scale over sophistication and politics. They engaged in areas which the pioneers rejected as a form of intellectual and ethical degeneration - ransomware, spamming, automated dissemination of payloads. With the 2017 rise of the GangCrab group, this new generation was able to create its own center of gravity, challenging the hierarchy. GandCrab was not just simply a gang with crypto lockers, it was a new form of a crime venture - flamboyant, attractive, compelling.

The confrontation became more tangible. Talented “old-school” malware developers were purchasing US breach access on forums to prevent GangCrab from exploiting them and affecting vulnerable communities and especially the healthcare industry. However, they were not able to stop the “Ransomware revolution”. The swiftly emerging botnets and ransomware groups ignored the whitelisting dogma. They targeted everyone everywhere and bragged about it on forums.

When in 2020 the new ransomware syndicates attacked the health industry overwhelmed by the COVID-19 crisis, the “Old Guard” suddenly received a strategic advantage. The strict criminal code which they used to propagate and which has been previously seen as an obsolete set of dogmas now became a legitimate source of pressure against the potential competitors. Ethics and politics merged.

The same process occurred in the traditional Russian organized crime since the 90th when the crime world has been disputed between the Thieves-in-law - who were fanatically loyal to a stringent “Thief Code” and the newcomers - the so-called “sportsmen” who relied entirely on brute force and complete denial of any morals.

For the healthcare industry, this is a sign of optimism, as ethics here is entirely interwoven with power and authority. Just like Thieves-in-law enforced their morals or “concepts” as they called them, to resist the generational threat from their new competitors, the older members of the Russian-speaking cybercrime community are entrenching their positions within the hierarchy by promoting values amid the Pandemic. By propagating moral frameworks of excluding healthcare institutions from their target lists and attacking those who disagree with this whitelisting. 

In April 2020, the chief spokesman (if this term could be used for a criminal enterprise) of the REvil ransomware group first faced strong criticism for the group’s attacks on hospitals and was then blackmailed by a threat of disclosure of their real identity. The underground community noted the irony in which the leading criminal collective notorious for blackmailing extortions has been themselves extorted. To make matters worse for REvil, after they received the threat the escrow who was supposed to transfer a massive amount of money to their account failed to complete the transaction and the sum was lost. REvil had nothing to pay with to their blackmailers and almost lost their digital coverage. All these events may not be connected or they can be a sign of a major power change in the underground.

This way our healthcare industry may obtain an unexpected ally. Power is at stake, and we can hope that the anti-ransomware outrage becoming more overt across the Russian underground will result in direct action. In the physical world, the Russian crime traditionalists Thieves-in-law were able to eventually tame the brutes of the “sportsmen” gangs. If the digital Thief War will end the same way, we may hope that at least some values would be strictly kept and preserved.