New Russian Crypto Law - A Government Tool to Take Control Over the DarkWeb Market?

Updated: Oct 8

By Anastasia Sentsova and Yelisey Boguslavskiy

On January 1, 2021, the Russian authorities introduced a new law regulating cryptocurrencies. This law may be a manifestation of the Russian government’s desire to seek control over the DarkWeb markets and its ransomware sector that became extremely prolific over the past two years. The criminal business that runs on cryptocurrency flows is likely to become more loyal to the government, in turn, destructive for those who oppose the regime.


  • The new Russian crypto law requires all cryptocurrency holders including individuals, companies, and Russian authorities to report their crypto transactions and wallet balances if the transaction amounts exceed 600,000 Rubles (approximately $8,124 USD) in a calendar year. The law intends to prevent illegal cryptocurrency transactions and money laundering.

  • In reality, the crypto law might be part of a Russian Sovereign Internet bigger plan and pursue hidden goals:

  • 1) to monopolize the DarkWeb market, including the ransomware sector by excluding its competitors who interfere with government plans and take away the profit.

  • 2) recruit new hackers to enlarge the cyber army and fulfill existing ransomware syndicates, including REvil that can be utilized as an efficient APT group.

  • By establishing the crypto law, the Russian government built a legal base to take over ransomware “businesses”. Tightened on cryptocurrency flows and obligated to report their balances, hackers will no longer be able to “legally” stay in the shade. The criminal enterprise might be easily taken away completely or more likely to be obligated to cooperate with the government for its financial and national good.

  • Such rearrangement of underground forces is likely to increase Russian state-sponsored cyber warfare thus an increase of cyber espionage and targeted ransomware attacks. Powered with a strong cyber army and large amounts of cryptocurrency, Russia will raise its ability to “eliminate” those who are at odds with the government's interests.

Image Source:


Starting January 1, 2021, according to the newly established crypto law, all cryptocurrency holders including individuals, companies, and government officials are obligated to report their crypto transactions and wallet balances to tax authorities if the transaction amounts exceeds 600,000 Rubles (approximately $8,000 USD) in a calendar year. DFAs (digital financial assets) can be sold, purchased, exchanged, and pledged but cannot be used as a means of payment. The deadline to report is set to be April 30, 2022. Failing to report twice in three years or providing inaccurate information will result in monetary fines, forced labor, and imprisonment.

Regulation of cryptocurrency is not something new and unusual for Russia. The technological development brought many opportunities, but also set the stage for new kinds of war with the use of seemingly invisible but powerful weapons. Many of these weapons are not controlled and regulated by states as they exist in the cybercrime domain, which has its own politics and economy. As a result, the nation-states are trying to gain higher authority, control, and surveillance over this nascent domain.

Russia is not an exception. For years, the Russian government has been calling for the creation of a Sovereign Internet - a so-called “RuNet” which will be hosted on domestic infrastructure and consist of networks and systems located on Russian territory.

For Russia, this issue of centralization of government authority over the digital space has been a highly political matter. The Internet and digital spaces were actively used by political groups, including non-state and anti-state actors. For instance, the anti-corruption platform of one of the leaders of Russian opposition - Alexy Navalny - was prioritizing cyberspace specifically. Navalny was able to win over a part of the electorate through his investigations denouncing the corruption of government officials and their pro-regime allies published via YouTube, Telegram, social media, and other digital platforms.

The timing of the crypto regulation laws discussed in this research and a new attempt to establish control over the digital space is not coincidental. Currently, the Kremlin faces a new round of exacerbation of its relationship with the Russian opposition: primarily Navalny, whose detainment on January 20, 2021, led to massive protests that are currently ongoing. Advancing the regime’s ground and establishing control over the digital space can help the Kremlin to turn this space against the internal opposition. However, as illustrated by the Kremlin’s strategies in 2012 and 2016, the tools which the Russian government test and calibrate in this domestic fight for cyberspace can be used against the international competitors of Russia as well.

Investigative Analysis

If successfully developed, the state-controlled and technologically independent RuNet - an infrastructure initially imagined for inhibiting the opposition - can likely change the geopolitical balance of power, create a competitive advantage for Russia in possible future state-to-state conflicts, and even provoke a bigger cyber arms race. By using its own independent network closed from the rest of the world, Russia will still have access to the global Internet and its critical information infrastructure. The dominance of its own digital grounds gives the regime the capability to successfully develop and implement a range of tools equally efficiently against domestic opponents and geopolitical competitors.

And what could be the most effective tools that the regime may add to its cyber arsenal while unifying the Russian-speaking cyberspace? The emergence of the “ransomware pandemic” during 2019 and 2020 suggests an obvious answer.

The year 2020 was swept by a destructive wave of ransomware attacks with the observed shifting of cybercriminals' focus towards commercial and public sector companies. A high number of Russian-speaking ransomware syndicates were identified as being responsible for numerous ransomware attacks resulting in significant financial losses. Moreover, a new trend evolved - the participation in the ransomware "business" of Russian-speaking groups engaging in cyber espionage. In 2019, one of the biggest ransomware syndicates, REvil, added a new technique to their extortionist arsenal: they exfiltrated victims' data before encrypting it, and threatened to publish this data if the ransom was not paid. It took REvil less than a year to begin using these tactics against political entities - including the former US President Donald Trump.

Can the Russian government canvass the increasing power of this potential ally? Possibly not voluntarily - REvil (the physical location of the group is still questionable), as well as their cybercrime colleagues, claim that they are apolitical in nature and aim only for profits. But what if these profits were threatened, such as with extended regulation of cryptocurrencies in which ransoms are paid? By adding a singular law, the Russian state can flip the board of threat actor motivations. Now, if a syndicate accepts the ransom in cryptocurrency and this ransom is bigger than a symbolic number of $8,124 USD a year, this syndicate is essentially challenging the Russian state. The ransom business suddenly becomes political, whether the syndicates want it to be or not - and this adds an entirely new layer for the “cryptolocker pandemic” which, until these days, was explicitly about money. By enforcing crypto law, the Russian government builds the legal base for overtaking the power and establishing total control over the DarkWeb market, including the ransomware sector.

Restricted on cryptocurrency flows and obligated to report their balances, ransomware operators will no longer be able to “legally” stay in the shade. The criminal cyber business might be taken away completely or, more likely, be obligated to cooperate with the government for its financial and economical good. For instance, the REvil ransomware syndicate might be the one that was already recruited by the Russian government during one of the hunt operations. However, before diving into an analysis of REvil recruitment, let’s take a look at the core of the underground community.

The Hidden Allies - A Peculiar Relationship Between the Russian State & the DarkWeb

In December 2019, AdvIntel published observations regarding DarkWeb and political cyberattacks. We identified that when it comes to the Russian-speaking DarkWeb, almost any for-profit service can be utilized for the needs of political or geopolitical operations. This results from a complicated relationship between the Russian-speaking cyber underground and the Russian state.

In the ever-continuing great power struggle, Russia broke world records countless times. In the summer of 2019, Russia broke the record of becoming the world leader in the number of Tor browser users, overtaking Iran and the United States. On July 11, 2019, about 600,000 Russians entered Tor, which is twice as many as previously recorded. Many of these users fall into various categories like hackers, carders, and drug dealers who operate in more than 2,500 shops. Such a number demonstrates not only high interest from regular users but also the amount of criminal activity within the Russian DarkWeb sector.

This underground community started to form in the late ‘80s. Most of the hackers who operate today were born in the Soviet Union and appeared on the cybercrime stage at the beginning of the ‘90s. These individuals were simultaneously empowered by one of the world's strongest schools of Soviet mathematics but faced dire social, economical, and political instability, so naturally, they joined the cybercrime community. Quite soon, this community attracted the attention of the government’s security apparatus. This resulted in a long and complicated relationship between the state and the DarkWeb in which the primary paradigm was set through the following rule - as long as the Russian-speaking threat actors target Russia’s foreign adversaries, the government ignores their criminal activity.

This bizarre relationship started with the massive spike of carding activities against US and EU targets in the early 2000s. DarkWeb marketplaces operated on selling drugs, guns, fake documents, and other prohibited goods and services. In the late 2000s, botnets developed by Russian speakers and citizens of the CIS (the Commonwealth of Independent States) even further advanced the development of cybercrime. And, in 2019, ransomware syndicates joined the elite club of cyber threats originating from this region. Today, the Russian-speaking segment of the DarkWeb evolved to nearly 40% of the global market share.

The DarkWeb offers unique capabilities and opportunities for the Russian state intelligence as it spreads beyond Russian jurisdictions. This space exists beyond borders and relies only on skills and the shared language - Russian. These individuals can operate from Israel, Turkey, Iran, Azerbaijan, Poland, Hungary, Bulgaria, China, Korea, Thailand, USA, Canada, UK, Netherlands, Greece, Italy, Kazakhstan, Belarus, Finland, and Sweden.

Moreover, secretly using the services from the members of this community can be more secure and easy to conceal. Russian threat actors mostly communicate through private messages. Discussion of the deals or other related information are usually performed through Jabber or Telegram, as well as in exclusive forums. This way the risks of attribution and discovery of a deal between the state and for-profit hackers are minimized.

As a result, each major addition to the DarkWeb domain naturally attracts the attention of the state. This was seen in cases of high-profile Russian carders like Vladislav Khorokhorin or Alexey Burkov. Russia initiated a harsh diplomatic and legal fight in order to prevent these individuals from imprisonment in the US, despite the non-diplomatic and nonpolitical nature of their crimes. When Russian-developed botnets began to proliferate, certain DarkWeb forums and Telegram channels held discussions where they speculated that Evgeniy Bogachev - the creator of GameOverZeus - works for the Russian government. According to them, Bogachev was the main IT organizer of a pro-regime financial transfer network. This network was allegedly involved in the massive money transfers sent to pro-government groups established by the Kremlin during 2011-2012 in order to counterbalance the mass protest movement originating after the 2011 election falsifications.

The ransomware market was the most recent addition to the DarkWeb ecosystem, and it may be only a matter of time until the state intelligence starts perceiving it as its new strategic frontier.

The Unconquered Domain - Russian State & the Ransomware Market

The Russian-speaking syndicates are clearly dominating the ransomware market these days. REvil, Ryuk, Egregor, Nephilim, and numerous others are estimated to be the major force behind today’s ransomware operations.

There is only one rule which defines this completely chaotic space, not controlled neither by legal, nor ethical means. This main rule is to not attack the CIS countries - Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and, of course, Russia. Russian authorities conduct arrests of those who break this rule on a daily basis, but at the same time turn a blind eye to those attacking foreign entities (especially the United States and Western Europe).

Operationally and economically, the market operates on cryptocurrencies. Ukraine and Russia currently have the biggest cryptocurrency adoption index, indicating high streams of cryptocurrency inside of these countries. A large part of this crypto flow activity is connected to the ransomware market consisting of large amounts of ransoms obtained from victims. By utilizing the scheme of exploiting the victim’s network vulnerabilities and then exfiltrating and locking it up, ransomware operators demand tens of millions of USD for the decryption key on a weekly basis.

Ransomware Deployment Scheme

(Image Source: AdvIntel)

As a result of the new law, the ransomware sector can face a radical shift. The law may become a game-changer by building a legal ground for auditing, disrupting, and inhibiting the main financial artery of the ransomware blood flow. By implementing a crypto law, Russian authorities are providing themselves with the legal base to hunt down ransomware operators and force them into recruitment and allegiance, monopolizing this market.

It also became known that on February 2, 2021, Russian digital regulatory agency Roskomnadzor blocked xabber[.]com registered in Estonia and belonging to Redsolition OÜ company. Xabber (widely called Jabber) is the anonymized messenger that is actively being used by ransomware operators for communication purposes. According to Roskomnadzor, Xabber failed to comply with Russian government regulations and refused to register in the ORI list (register of information dissemination organizers) which requires its members to provide access to users’ data. Ransomware operators still might find different ways of communications, however, this step taken by the government once again indicates its seriousness to establish control overshadow parts of the Internet.


“Ransom Bear” - REvil-as-a-New-APT28/9 Scenario Analysis

This scenario analysis is meant to illustrate what can be potential consequences of the crypto law implementation, and subsequent pressure on ransomware syndicates to ally with the government.

REvil is chosen as a case study for this research and a feasible recruit for Russian offensive operations due to several reasons.

First - it is one of the most prolific and effective syndicates of our time.

Second - while being a ransomware gang, it is also a well-established collective of elite cyberspies. Emerging in the first half of May 2019, REvil started to quickly recruit a handful of affiliates to run their criminal machine.

Very soon, REvil established itself as one of the most dangerous and prolific ransomware syndicates, as their affiliate model attracted elite actors. This group of elite affiliates consisted of sophisticated network intruders - individuals who knew how to silently hide within the target’s environment. With elite affiliates on board, REvil suddenly started to operate in an APT-style manner. High-profile targets were taken down during a well-thought-out and well-planned secretive operation while stealing sensitive information was the main operation of the attack.

Such strategy became REvil’s signature craft when the syndicate started to entirely rely on ransomhack attacks. In this attack, a threat actor steals sensitive information and blackmails the victim by threatening to share it online if the ransom is not paid.

REvil’s network of DarkWeb affiliates includes individuals who are ideal for state-sponsored cyber attacks. These elite actors employed by the syndicate are able to perform secretive espionage operations and hit targets within the energy and other critical infrastructure industries.

(Source: AdvIntel Research Blog)

Third - REvil victimology seems especially appealing for the