Global Scam Series 2025

Russia Scams 2025: State-Sponsored Fraud Infrastructure – Where Ransomware Meets Geopolitics

ScamWatchHQ

ScamWatchHQ

20 min read
Russia Scams 2025: State-Sponsored Fraud Infrastructure – Where Ransomware Meets Geopolitics
Photo by Nikolay Vorobyev / Unsplash

Executive Summary

Russia occupies a unique and disturbing position in the global cybercrime ecosystem – a nation-state that doesn't just harbor cybercriminals, but cultivates, protects, and weaponizes them for strategic advantage. Ranked #1 on the World Cybercrime Index, Russia serves as the birthplace and safe harbor for the world's most destructive ransomware operations, including LockBit (2,000+ victims, $120+ million in ransom payments), Conti (leaked source code spawning countless variants), and REvil (Colonial Pipeline, $11 million ransom). Russian-speaking cybercriminals dominate an estimated 75% of global ransomware revenue, operating from a jurisdiction where the unwritten rule is simple: *"Don't target Russia or

its allies, and you won't be prosecuted."* Russian citizens themselves lost an estimated $4.2 billion (₽330 billion) to cybercriminals in 2025, with 170 billion rubles ($2.2 billion) in unsuccessful theft attempts against Sberbank clients alone. Yet the Russian government provides bulletproof hosting services, cryptocurrency laundering infrastructure, and even recruits arrested hackers into intelligence services – creating a symbiotic relationship where cybercrime serves both profit and statecraft. International sanctions are beginning to show cracks in this system, with Russia conducting limited arrests in 2025 to manage diplomatic pressure, but the fundamental safe harbor policy remains intact. This is the story of how a nation-state transformed cybercrime into a strategic weapon, creating a $10.5 trillion annual global threat while simultaneously victimizing its own citizens.

The Scale of Russia's Cybercrime Empire

Global Dominance Statistics

World Rankings:

  • #1 on World Cybercrime Index (ahead of Ukraine, China, USA, Nigeria)
  • 75% of global ransomware revenue flowing to Russian-speaking actors
  • 30% of global spam emails originating from Russia (2023)
  • 7+ billion spam emails sent daily from Russian infrastructure

Financial Impact:

  • $10.5 trillion: Projected global cybercrime cost by 2025
  • $1.85 million: Average cost of single ransomware attack
  • $2 million: Average ransom payment in 2024 (up from $400,000 in 2023)
  • $265 billion: Projected annual ransomware costs by 2031

Domestic Losses (Russian Victims):

  • $4.2 billion (₽330 billion): Estimated Russian losses to cyber fraud in 2025
  • ₽80+ billion ($1+ billion): Stolen from Russians in first half of 2025
  • ₽170 billion ($2.2 billion): Unsuccessful theft attempts against Sberbank clients alone
  • 20% of Russian PCs: Faced at least one malware attack annually
  • 10% of Russian PCs: Attacked by phishing yearly

The Ransomware Ecosystem

Major Operations:

  • LockBit: Most deployed ransomware variant globally (2022-2023), 2,000+ victims, $120+ million in confirmed ransom payments
  • Conti: Source code leaked after Ukraine invasion, spawned countless variants
  • REvil: Colonial Pipeline attack ($11M ransom), Kaseya supply chain attack
  • DarkSide: Colonial Pipeline, caused largest cyberattack on US energy infrastructure
  • NotPetya: 2017 attack caused $10+ billion in global damages
  • Phobos: 1,000+ victims including children's hospitals, $16+ million in ransom

Infrastructure:

  • Bulletproof Hosting Providers: Aeza Group, Zservers, XHOST
  • Cryptocurrency Mixers: Garantex, TRON addresses laundering $350,000+
  • Dark Web Forums: Exploit, XSS, RAMP (Russian Anonymous Marketplace)
  • RaaS Platforms: Ransomware-as-a-Service enabling affiliates worldwide

The Safe Harbor Policy: How Russia Protects Cybercriminals

The Unwritten Rule

For decades, Russia maintained a simple, unofficial policy that enabled its cybercrime empire:

The Deal: Russian hackers can target foreign victims – particularly in the United States, Europe, and NATO countries – without fear of prosecution, provided they follow two rules:

  1. Never target Russian citizens, businesses, or government entities
  2. Cooperate with Russian intelligence services when requested

The Evidence: LockBit 3.0 ransomware is specifically designed to avoid infecting machines with language settings that include Romanian (Moldova), Arabic (Syria), and Tatar (Russia). This isn't accidental – it's programmatic protection of Russian interests.

The Quote: As Karen Kazaryan, CEO of the Internet Research Institute in Moscow, explained: "Just don't ever work against your country and businesses in this country. If you steal something from Americans, that's fine."

The Intelligence Service Connection

Russia's relationship with cybercriminals goes beyond passive tolerance – it's active cultivation:

Recruitment Methods:

  • The Choice: Arrested hackers offered alternatives to prison – work for the state
  • Moonlighting: State-employed hackers conducting cybercrime "off the clock"
  • System Sharing: Same computer systems used for state-sanctioned hacking and personal cybercrime
  • Mixed Operations: State business mixed with personal enrichment

Historical Examples:

Yahoo Breach (2014): Over 500 million user accounts compromised, with a 2017 U.S. indictment charging four men, including two FSB (Federal Security Service) officers. The officers allegedly used their state positions to facilitate personal cybercrime.

SolarWinds Supply Chain Attack: While primarily state-sponsored espionage, demonstrated Russia's sophisticated cyber capabilities

NotPetya (2017): Ostensibly ransomware, but actually a destructive wiper attributed to Russian military intelligence (GRU Unit 74455, "Sandworm"). Caused over $10 billion in global damages while targeting Ukraine.

The APT Groups: State Actors

Russia operates multiple Advanced Persistent Threat (APT) groups that blur the lines between state espionage and criminal activity:

APT28 (Fancy Bear):

  • Linked to GRU Unit 26165
  • Targets parliaments, broadcasters, election campaigns across Europe
  • 2016 US election interference operations
  • 2014-2016 Ukrainian artillery targeting (Android malware)

APT29 (Nobelium/Midnight Blizzard):

  • Linked to Russia's SVR (Foreign Intelligence Service)
  • Long-running espionage campaigns
  • SolarWinds supply chain compromise
  • Targets governments and technology firms

Sandworm (GRU Unit 74455):

  • Deployed NotPetya destructive malware
  • 2015 and 2016 Ukrainian power grid attacks
  • 2022 Viasat attack during Ukraine invasion
  • Global cyberwarfare capabilities

Turla (Secret Blizzard):

  • Assessed as FSB-linked
  • Continues espionage operations
  • 2025 activity targeting foreign embassies in Moscow

Star Blizzard (Callisto/ColdRiver):

  • FSB-linked spear-phishing operations
  • Targets officials, academics, NGOs
  • 2023 British authorities revealed multi-year campaign against UK lawmakers
  • Faces sanctions, criminal charges, technical takedowns

Recent Cracks in the Safe Harbor

2024-2025 Shift: After years of complete impunity, Russia began conducting limited arrests of cybercriminals in response to Western pressure.

Operation Endgame Impact (May 2024): Unprecedented Western law enforcement operation against ransomware infrastructure raised diplomatic costs of Russia's safe harbor policy.

Recorded Future Analysis: Russia's crackdown serves dual purposes:

  1. Outward: Ostensibly demonstrates desire to curtail cybercrime
  2. Inward: Reminds criminals "who's boss" – that they serve at Kremlin's pleasure

The Selective Approach: Russia sacrifices "pawns" (low-level criminals) while protecting "queens" (valuable botnet and ransomware developers):

  • Money launderers: Face apparently serious penalties
  • Core developers: Ersatz trials ending with no real consequences
  • State assets: Protected members useful to intelligence services

April 2025 Arrests:

  • Aeza Group executives: Bulletproof hosting provider linked to threat actors and illicit marketplaces
  • Mamont banking Trojan: Associated hackers arrested
  • Conti, LockBit, REvil members: Arrests with "flaccid penalties" indicating lack of seriousness

Underground Reaction: Dark web forums show fear – actors stating: "I don't know if I feel comfortable being on a site like this and speaking Russian anymore."

The Reality: This represents managed compliance, not genuine enforcement. Russia controls the boundaries of enforcement based on strategic interests, not rule of law.

LockBit: Rise, Fall, and Resilient Resurrection

The Ransomware King (2019-2024)

LockBit epitomizes Russian ransomware operations – sophisticated, prolific, and remarkably resilient despite law enforcement disruption.

Read more