Due to sanctions on Russia and law enforcement activities against dark web markets, the Russian cybercrime community, which is one of the most active and prolific in the world, is moving to alternate money-laundering tactics.
Despite the limited possibilities, cybercriminals are contemplating potential strategies to pay out or secure stolen dollars and bitcoin, according to talks from threat actors recorded by Flashpoint researchers.
The “ideal storm”
As a result of Russia’s invasion of Ukraine, bank sanctions and the banning of SWIFT payments were imposed. The typical cash flow channels utilized by hackers were hampered as a result of this.
Then came the suspension of direct money transfer providers like Western Union and MoneyGram in Russia. Scammers and extortionists frequently used them to collect money from victims without exposing their true identities.
On April 5, German authorities seized the servers of Hydra Market, the largest Russian darknet portal, shutting down a significant business (about $1.35 billion in yearly revenue) that also provided money-laundering services.
The United States sanctioned Garantex the next day, one of the most major platforms used by Russian cybercriminals to launder stolen assets, following a wave of sanctions on similar sites that began in 2021.
Finally, Binance became the first major cryptocurrency exchange to effectively prohibit Russian users from transacting or investing, and more are expected to follow suit soon. Even large-scale coin mining activities in Russia have been sanctioned.
Cybercriminals are flocking to China
Russian hackers have primarily used Chinese payment systems, such as Chinese banks and the Union Pay card system, according to data acquired by Flashpoint from cybercriminal forums.
However, Union Pay is reportedly considering refusing to serve Russian consumers, making the proposition unviable in the long run.
Since the bank troubles, a new breed of money launderers has evolved, offering money transfers through banks in countries such as Armenia, Vietnam, and China, which have not imposed restrictions on Russian institutions.
Because cryptocurrency exchanges, even those in Russia, are increasing their KYC (know your customer) regulations, darknet coin-mixing and cash-out businesses are among the few options accessible.
Crooks are forced to shift to smaller, less trustworthy organizations since money-laundering suppliers on Hydra no longer have a reliable platform to advertise their services.
According to Flashpoint, some cybercriminals have taken a long-term strategy to this scenario, investing in gold or holding their cryptocurrencies in cold wallets until the situation improves.
However, the scenario is unlikely to affect financially driven threat action. Lower-tier threat groups and less capable hackers will be the hardest hit, but more sophisticated groups’ private laundering channels are likely to remain operational.
