Russia-Ukraine war reaches dark side of the internet
The darknet has become another, quiet front in the war as Russian and Ukrainian hackers, once united, drift apart.
In April, German police, acting on a tip-off from their American colleagues, discovered the servers of the single-largest online bazaar for narcotics and other contraband on the planet.
From 2017, Hydra had dominated the illegal drug business in Russia and neighbouring countries. After taking control of the site, German authorities retrieved 23 million euros ($16.7m) in ill-gotten cryptocurrency.
But what likely caught the attention of Western law enforcement was not Russian drug dealers, doing business mainly in Russia.
Hydra also offered forged documents, hacking, and money laundering services, which could be used nefariously against Western interests or citizens.
While the takedown of Hydra was the result of an operation which had begun months before Russia’s invasion of Ukraine in February, the digital landscape it once dominated has become another, quiet front in the Russia-Ukraine war.
In the past, Russian and Ukrainian cybercrooks plundered victims’ bank accounts together – 20 years ago, Russian-speaking cyber-scammers from across the old Soviet empire descended on Odesa for their first worldwide conference.
But according to András Tóth-Czifra, a senior analyst at Washington, DC-based Flashpoint Intelligence, since around 2019, there has been a widening split between Russian hackers and their former partners-in-crime.
“[There was] a growing unease that Ukraine was co-operating with Western cyber-police, which itself was a consequence of Western countries providing aid to strengthen Ukraine’s cyber-defences,” Tóth-Czifra explained.
“It gave an understanding that if you’re in Ukraine, you can be arrested. Of course, you’re not always going to be arrested, especially if you’re just a petty cybercriminal. But if you were, for instance, a ransomware operator, you suddenly faced higher risks. And yes, afterwards, there were larger arrests.”
After the downfall of Hydra, much of its customer base and merchants regrouped on RuTor, an online forum that is one of the Russian internet’s oldest cybercrime hangouts.
Then, rumours spread that the website was under the control of the SBU, Ukraine’s security service.
Allegations of a sinister Ukrainian mafia poisoning the nation’s youth through narco-trafficking have been around since the mid-2010s. But other than the nationality of some suspects, there is no solid proof of a conspiracy leading to the SBU itself.
But these rumours made RuTor a target for the pro-Kremlin hacktivist group Killnet, which bombarded the forum with DDoS (distributed denial-of-service) attacks.
DDoS attacks work by directing botnets (infected computers) under the hackers’ control to overwhelm the target servers with web traffic, to the point where they are unable to function.
“There was the takedown of Hydra which prompted a war of marketplaces,” said Tóth-Czifra. “But since the context [of the Ukraine war] was there, they started defining their actions. For instance, when Killnet drew on its followers to commit DDoS attacks against RuTor, they depicted RuTor as an SBU forum. One thing Killnet has certainly been doing is trying to get support from the state; they have been quite open about that.”
Vladislav Cuiujuclu, a cybercrime specialist at Flashpoint, added: “It wasn’t an explicit attack against narcotics marketplaces, it was an attack on marketplaces that allegedly have connections to Ukraine. WayAway, which is seen as the successor of Hydra in some ways, Killnet actually supports them. So perhaps the Ukrainian connection is just a convenient thing for them.”
In November, Killnet claimed responsibility for cyberattacks on Skylink, business magnate Elon Musk’s satellite communications network, and the White House, for their support of Ukraine. They are also believed to be behind recent cyberattacks on the European Parliament.
“A definite change we have seen in the past nine months is the appearance of collectives that primarily focused on DDoS, but what’s really important is they openly recruit people on Telegram through various bots,” Cuiujuclu revealed.
“I’m not only talking about Killnet, I’m talking about Anonymous Russia and all those subgroups. According to the admins of these groups, they recruited hundreds and thousands of people who allegedly are volunteers.”
Killnet is a group of hacktivists with clear political aims they want to achieve.
For the most part, cybercrooks mainly interested in making money have stayed out of the fray, their interest in current affairs confined to how they can make a profit.
For example, when mobilisation was declared in Russia, darknet scammers began selling fake Schengen visas.
And the Russian occupation of Ukraine’s Kherson and Mariupol barely interrupted the flow of mephedrone, hashish and other drugs to those areas, as an investigation by Russian independent newspaper Novaya Gazeta discovered.
But at least one chief ransomware collective, Conti, swore allegiance to Russia before being betrayed by a Ukrainian insider, who leaked their secret chat logs.
From these logs, it appears Conti may have a loose working relationship with Russian intelligence.
And while botnet attacks and hacktivists are one thing, what about the “real” internet world?
In October, the popular Telegram channel SHOT, which occasionally publishes Kremlin talking points, reported that a 16-year-old girl working as a courier for an online drug dealer in Nizhny Novgorod was ordered to pay off a debt to her boss by burning down a military draft office.
Since the outbreak of war, dozens of draft offices have caught fire across Russia. The teenager, however, refused to go through with the plan, and instead handed two of her fellow arsonists to the police; the mastermind remains at large.
Russian law enforcement sources told pro-Kremlin news site Life.ru that Ukrainian agents paid 30,000 Russian rubles ($470) for every recruitment office set alight while sharing clips of the attack on social media could earn you 5,000 rubles ($80). An act of sabotage against Russian infrastructure, meanwhile, was worth up to $20,000.
While Al Jazeera was unable to independently verify these offers, the analysts at Flashpoint said such acts are more likely orchestrated through existing saboteur networks.
“It’s possible some saboteurs are being hired through the dark net, but I think it is likelier that if there is any coordination, it takes place on Telegram in groups like the Free Russia Legion or Rospartizan who have encouraged such actions and have shared contact details and set up Telegram bots for those who want to get in touch,’ said Tóth-Czifra.”
At the start of the war, the administrators of Legalizer.cc, one of the biggest drug platforms in Ukraine, announced they “sympathise with what is happening” and offered “financial assistance to residents of Ukraine who find themselves in a difficult situation”.
On request, the platform promised to deposit about $20 at a time to users’ crypto-accounts. Elsewhere on the site, it is possible to read feedback from recipients expressing their thanks, with a few attaching photographs of food or other essentials which they had bought.
“I thank the forum for moral and financial support!!!” one wrote. “We will win! Ukraine will be free!”
Judging by the continuous feedback, as of December the scheme is still running.
But hackers have also exploited the crisis.
According to a recent report on the Latvia-based news site Meduza, which is exiled as Russia cracks down on independent media, Ukrainian charities have been hacked and their donations diverted to the Russian neo-Nazi paramilitary group Rusich, to buy equipment and bulletproof vests.
Rusich also accepted payouts from accounts on at least three online drug markets, although it is possible they were only using the darknet bazaars to hide their trail of money, or they infected the dealers’ computers with malware. Rusich leader Alexey Milchakov confirmed the hacking scams and called drug dealer donors “true patriots of Russia.”
“These are fairly easy techniques that you can commercially buy on illicit forums,” said Tóth-Czifra.
“Most of the cyber-criminals in these forums are going to be financially motivated, they’re not going to have second thoughts about diverting donations or hacking a website that collects humanitarian funds. But I think we’re definitely not seeing the full picture. The sums are relatively small, but if you run several schemes like this then, after a while, you’ll collect a considerable amount of money.”