Russia-Ukraine war reaches dark side of the internet | Russia-Ukraine war News
In April, German police, acting on a tip from their American colleagues, discovered the servers of the single-largest online bazaar for drugs and other contraband on the planet.
As of 2017, Hydra dominated the illegal drug business in Russia and neighboring countries. After German authorities seized control of the site, 23 million euros ($16.7 million) in ill-gotten cryptocurrencies were found.
But what likely caught the attention of Western law enforcement was not Russian drug traffickers who do business primarily in Russia.
Hydra also offered forged documents, hacking and money laundering services, which could be used cunningly against Western interests or citizens.
While the removal of Hydra was the result of an operation that began months before Russia’s invasion of Ukraine in February, the digital landscape it once dominated has become another, silent front in the Russia-Ukraine war.
In the past, Russian and Ukrainian cyber crooks have raided victims’ bank accounts together – 20 years ago, Russian-speaking cyber scammers from across the former Soviet empire descended on Odesa for their first global conference.
But according to András Tóth-Czifra, a senior analyst at Flashpoint Intelligence in Washington, DC, since about 2019 there has been a wider rift between Russian hackers and their former partners in crime.
“[There was] a growing unease that Ukraine is cooperating with Western cyber police, which itself was a result of Western countries providing assistance to strengthen Ukraine’s cyber defenses,” explained Tóth-Czifra.
“It gave an understanding that if you are in Ukraine, you can be arrested. Of course, you’re not always going to get arrested, especially if you’re just a petty cybercriminal. But if you were a ransomware operator, for example, you suddenly faced greater risks. And yes, after that there were bigger arrests.”
After the demise of Hydra, many of its customer base and dealers regrouped on RuTor, an online forum that is one of the Russian Internet’s oldest cybercrime hangouts.
Then rumors spread that the site was under the control of the SBU, Ukraine’s security service.
Allegations of a sinister Ukrainian mafia poisoning the country’s youth through drug trafficking have been around since the mid-2010s. But apart from the nationality of some suspects, there is no solid evidence of a conspiracy leading to the SBU itself.
But these rumors made RuTor a target for the pro-Kremlin hacktivist group Killnet, which bombarded the forum with DDoS (distributed denial-of-service) attacks.
DDoS attacks work by directing botnets (infected computers) under the hackers’ control to overwhelm the target servers with web traffic, to the point where they cannot function.
“There was the removal of Hydra which caused a war of marketplaces,” said Tóth-Czifra. “But since the context [of the Ukraine war] were there, they began to define their actions. For example, when Killnet used its followers to launch DDoS attacks against RuTor, they portrayed RuTor as an SBU forum. One thing Killnet has certainly done is try to get support from the state; they were pretty open about it.”
Vladislav Cuiujuclu, a cybercrime specialist at Flashpoint, added: “This was not an explicit attack against drug marketplaces, it was an attack on marketplaces that are said to have links to Ukraine. WayAway, considered in some ways the successor to Hydra, Killnet actually supports them. So maybe the Ukrainian connection is just a convenient thing for them.”
In November, Killnet claimed responsibility for cyber attacks on Skylink, business magnate Elon Musk’s satellite communications network, and the White House, for their support of Ukraine. They are also believed to be behind recent cyber attacks on the European Parliament.
“A definite change that we have seen in the last nine months is the appearance of collectives that focused mainly on DDoS, but what is really important is that they are openly recruiting people on Telegram through different bots,” Cuiujuclu revealed.
“I’m not just talking about Killnet, I’m talking about Anonymous Russia and all those subgroups. According to the administrators of these groups, they have recruited hundreds and thousands of people who are said to be volunteers.”
Killnet is a group of hacktivists with clear political goals they want to achieve.
Cyber crooks who are primarily interested in making money have mostly stayed out of the fray, limiting their interest in current affairs to how they can make a profit.
For example, when mobilization was declared in Russia, darknet scammers started selling fake Schengen visas.
And the Russian occupation of Ukraine’s Kherson and Mariupol has barely interrupted the flow of mephedrone, hashish and other drugs into those areas, as an investigation by the Russian independent newspaper Novaya Gazeta has discovered.
But at least one main ransomware collective, Conti, swore allegiance to Russia before being betrayed by a Ukrainian insider, who leaked their secret chat logs.
From these logs, it appears that Conti has a loose working relationship with Russian intelligence.
And while botnet attacks and hacktivists are one thing, what about the “real” internet world?
In October, the popular Telegram channel SHOT, which sometimes publishes Kremlin talking points, reported that a 16-year-old girl working as a courier for an online drug dealer in Nizhny Novgorod had been ordered to pay off a debt to her boss to pay by burning down a military draft office.
Since the outbreak of war, dozens of draft offices have caught fire across Russia. However, the teenager refused to go through with the plan, and instead handed over two of her fellow arsonists to the police; the mastermind remains at large.
Russian law enforcement sources told the pro-Kremlin news site Life.ru that Ukrainian agents paid 30,000 Russian rubles ($470) for each recruitment office set on fire, while sharing clips of the attack on social media nets you 5,000 rubles ($80) can earn. An act of sabotage against Russian infrastructure, meanwhile, was worth up to $20,000.
Although Al Jazeera could not independently verify these offers, the analysts at Flashpoint said that such acts are more likely to be orchestrated by existing saboteur networks.
“It’s possible that some saboteurs are hired by the dark net, but I think most of the coordination of setting fires of recruitment sites and things like that, it’s actually taking place through groups like the Free Russia Movement that specifically called for these actions, and they have Telegram bots where you can just get in touch with them and, you know, offer your services,” said Tóth-Czifra.
At the beginning of the war, the administrators of Legalizer.cc, one of the largest drug platforms in Ukraine, announced that they “sympathize with what is happening” and “offered financial assistance to residents of Ukraine who found themselves in ‘ found a difficult situation”.
Upon request, the platform promised to deposit approximately $20 at a time into users’ crypto accounts. Elsewhere on the site, it is possible to read feedback from recipients expressing their thanks, with some photos attached of food or other essentials they bought.
“I thank the forum for moral and financial support!!!” wrote one. “We will win! Ukraine will be free!”
Judging by the ongoing feedback, as of December the scheme is still running.
But hackers also exploited the crisis.
According to a recent report on the Latvia-based news site Meduza, which is in exile as Russia cracks down on independent media, Ukrainian charities have been hacked and their donations diverted to the Russian neo-Nazi paramilitary group Rusich to buy equipment and bulletproof vests. .
Rusich also accepted payouts from accounts on at least three online drug markets, although it’s possible they were just using the darknet bazaars to hide their money trail, or they infected the dealers’ computers with malware. Rusich leader Alexey Milchakov confirmed the hacking scam and called drug dealer donors “true patriots of Russia”.
“These are fairly easy techniques that you can buy commercially on illegal forums,” said Tóth-Czifra.
“Most of the cybercriminals in these forums are going to be financially motivated, they’re not going to have second thoughts about diverting donations or hacking a website that collects humanitarian funds. But I think we are definitely not seeing the full picture. The amounts are relatively small, but if you run several schemes like this, after a while you will collect a significant amount of money.”