Crypto Crime in Russia: Ransomware, Sanctions Evasion, and Disinformation

{{infocard-cyrptocrimeinrussia-1}}

In recent years, Russian-speaking threat actors have emerged as a dominant force in the world of crypto crime, unique in the breadth of their illicit activity. From ransomware attacks to the operation of darknet marketplaces (DNMs), these groups have established a significant presence on the international stage. 

A recent report from TRM Labs demonstrates that these Russian-speaking entities are continuing to consistently drive most types of crypto-enabled cybercrime — from coordinating widespread ransomware attacks, to operating darknet markets for the sale of narcotics and other illegal drugs, to evading sanctions through the use of crypto exchanges.

The diverse landscape of Russian-led crypto crime

Ransomware:
Russian-speaking ransomware groups account for 69% of all ransomware proceeds

Ransomware has become one of the most prevalent forms of cybercrime, with attackers encrypting victims’ data and demanding cryptocurrency as ransom for decryption keys. 

In 2023, Russian-speaking ransomware groups were responsible for a staggering 69% of all proceeds from ransomware, amounting to over USD 500 million. Among the most notorious operators, Lockbit and ALPHV/Black Cat accounted for a combined USD 320 million in revenue, solidifying their status as the leading players in the ransomware space.

Darknet markets:
Russian-speaking actors are responsible for 95% of all crypto-denominated drug sales on darknet markets 

Darknet marketplaces (DNMs) continue to serve as a hotbed for malign activity. In 2023, Russian-speaking actors were responsible for an astonishing 95% of all crypto-denominated illicit drug sales conducted on darknet markets. 

This overwhelming percentage highlights the scale of Russian-speaking actors’ operations and their critical role in facilitating the exchange of illegal substances around the world. Sales of drugs on Russian DNMs are dominated by mephedrone and other synthetic cathinones, the raw materials for which are often supplied by Chinese precursor manufacturers.

Russian-language DNMs are also unique in their operations with their use of “dead drops” as part of the zakladka or “stash” system — allowing them to complete deliveries more frequently and efficiently. In 2023, the three largest Russian-language DNMs handled USD 1.4 billion in cryptocurrency (primarily bitcoin) — around one-third higher than in 2022. By contrast, the entire Western DNM ecosystem handled less than USD 100 million in 2023, around a fifth less than in 2022.

{{blogad-comradesincrime-report-2}}

Sanctions evasion:
Garantex accounts for 82% of the world’s sanctioned crypto volume 

The use of cryptocurrency has become a tool for evading international sanctions. 

Specifically, Russia-based exchange Garantex — which was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) in April 2022 — accounted for 82% of crypto volumes associated with sanctioned entities and jurisdictions in 2023.

Weapons and war:
USD 85 million has been sent to wallets linked to Russian and Chinese entities involved in the trade of military equipment

Garantex has also served as a source of funds from Russian-speaking entities to Chinese military equipment manufacturers that produce commercial UAVs and anti-UAV equipment, thermal optics, GPS modules, and more — which are used to fund Russia’s war machine and aid Russian forces in Ukraine. 

TRM research has found that since 2021, at least USD 85 million has been sent to wallets linked to Russian and Chinese entities involved in the manufacturing, transport, and sale of military and dual-use equipment and critical components.

Disinformation:
Russia funds political disinformation campaigns with cryptocurrencies

Russian-speaking entities have also been known to use cryptocurrencies to fuel disinformation and election interference campaigns — particularly in the last two election cycles in the United States. Disinformation campaigns funded via cryptocurrency typically involve a network of facilitators — including exchanges, domain registrars, hosting providers, payment processors, digital marketing agencies, deepfake producers, social media amplifiers, and "articles for hire" services. 

“Russia has fostered an illicit finance ecosystem of darknet markets, non-compliant crypto businesses, ransomware, and paramilitary groups. All these pieces of Russia’s money laundering puzzle play a role in interference and disinformation,” explained Ari Redbord, TRM’s global head of policy.

{{blogad-thecryptoelection-blog-1}}

The role of global cooperation in disrupting crypto crime

From dominating ransomware and darknet markets to facilitating sanctions evasion through exchanges, Russian-speaking actors have created a complex and far-reaching network of crypto crime.

But the disruption of major groups like Lockbit and Hydra demonstrate that cooperation between international law enforcement, governments, and private sector firms — armed with the right intelligence — can make an impact in taking down these bad actors and creating a safer financial and geopolitical system for everyone.