Notes from the Dark Web: Analyzing Ukraine-Related Chatter in Key Forums
Over the past week, TRM analysts have been tracking the chatter on various dark web forums to identify the overall mood of the forum members related to the conflict in Ukraine and, more specifically, any discussion by threat actors of sanctions and how they may impact criminal activity, and whether there is any discussion of cryptocurrency as a means of circumventing the sanctions.
Key Takeaways:
- Threat actors across multiple, primarily Russian-speaking, forums have been discussing the possibility and impact of Russia being cut off from SWIFT;
- As in other times of geopolitical conflict, the forums themselves have tried to maintain a veneer of neutrality.
- However, various individual threat actors have expressed a desire to help their Ukrainian “colleagues.”
- Some threat actors have also expressed a general concern with the Russian economy, including the fate of the Russian stock market, which would indicate that they reside in Russia or are otherwise personally impacted by the fate of the Russian economy.
- The sanctions will negatively affect the ability of threat actors to withdraw stolen funds because services such as cryptocurrency exchanges and banks will not send funds to accounts at Russian banks.
- Threat actors believe that cryptocurrency should be formally legalized in Russia in order to circumvent the sanctions against Russia.
While there are some threat actors who have taken sides in the conflict, Russian-language forums try to maintain neutrality regarding the war in Ukraine. The ransomware group Conti has notoriously threatened to go after anyone in conflict with Russia. Some threat actors have posted what they claim is to be internal data from a Russian defense contractor as a form of protest against the Russian invasion of Ukraine.
But on the whole, threat actors on dark web forums have been discussing the prospect of Russia being cut off from SWIFT and how that would impact both Russia’s and the world’s economies. Some of the threat actors have forecast that as a result of Russia being cut off from SWIFT the world would wind up being split into two geopolitical centers of gravity – China/Russia and Europe/US.
Still others have speculated that Russia will be cut off, but that people will start smuggling SWIFT transactions through Ukraine. In other words, Russian criminal actors will likely have to have partners in Ukraine who will help them process bank transactions.
Indeed, though there are some forum members who have expressed an eagerness to help Ukrainians, going as far as to offer Ukrainian forum members food and shelter in countries such as Romania, most threat actors seem to primarily be concerned about how the new changes will impact their illegal activities.
When one threat actor asks whether it still makes sense to try to steal foreign credit cards and whether Russian threat actors will still be able to monetize the foreign cards, another threat actor responds that the individual likely won’t be able to withdraw crypto using cards issued by Russian banks because the exchanges won’t allow it. He or she also states that it does depend on the individual banks and names a bank that “is still holding on.”
In general, multiple forum members stated that they do not hold funds in banks because the funds are safer in cryptocurrency. A moderator on one forum suggests that a wholesale switch to the use of crypto would help circumvent the sanctions against Russia and that Russia should legalize cryptocurrency immediately.
Other discussions include the topic of Russian stocks and stock markets, whether to buy dollars (the general consensus is that it’s too late to do so at the current exchange rates), inflation, and other topics that would be of particular interest to individuals residing in Russia at this time.
On the whole, in reviewing the data from dark web forums, TRM analysts found that while threat actors are concerned about the conflict and how it will affect their ability to move the proceeds of illegal activity, there does not seem to be evidence of significant active participation by the threat actors in the conflict.
TRM Labs will continue to monitor the situation, particularly as it relates to the use of cryptocurrency in cybercrime and potential evasion of sanctions. We will also monitor for any changes in TTPs (tools, techniques, and procedures) used by threat actors to take advantage of the conflict or to mitigate its effect on their activities.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.