In a few previous blogs, we’ve covered how threat actors discuss prison on Russian-language cybercriminal platforms. We’ve touched on high-profile arrests of cybercriminals, their thoughts on the likelihood of ending up behind bars, and how they rate their chances among hardened traditional career criminals. We’ve never really focused on the language used in these forum discussions, but this is crucial for analyzing this chatter. Forum discussions about jail usually showcase a linguistic phenomenon unique to Russia and the former Soviet Union: Феня (Fenya). This slang vocabulary represents a gateway to the murky world of Russian prison culture, where a cell phone is a “pedal”, trouble is “weed”, and to make a promise is to “give someone your tooth”. This blog will explore this fascinating phenomenon and explain why security researchers must have a solid grasp of it to fully understand forum discussions.
Fenya: Origins and influences
Fenya is a secret language used in correctional facilities across Russia and the former Soviet Union. There are competing hypotheses about Fenya’s etymology. Some say it comes from something similar to pig-Latin, in which “fe” and “nya” were inserted between alternate syllables of a word to confuse those unaware of the convention. Another competing theory suggests that Fenya comes from the language of the “Ofenyi”–traveling merchants and icon peddlers in Russia during the Middle Ages and Imperial Russia–who used a secret language when speaking to each other to dupe their victims. Although Fenya’s exact etymology is unknown, its influences are much clearer. It contains a large mix of German, Greek, Georgian, and more recently–owing to mass incarceration of Jews during Stalin’s rule–Yiddish and Hebrew.
More than just slang
Fenya is much more complex than the prison slang seen in the West. It has a rich and varied vocabulary full of double meanings that is incomprehensible to even native Russian speakers. Fenya is a way for prisoners to communicate with others in the criminal community without being understood by those outside it, but it’s also a language of identity. Even the way in which users profess knowledge of the phenomenon is coded: ботать по фене (botat’ po fenye) “to know/speak Fenya” literally translates to “to cram on the hairdryer”. To speak Fenya is to associate yourself with the Russian criminal underworld, its members, and its cultural institutions. To use Fenya is to show others that you are part of a world of extreme and institutionalized violence.
When prisoners were released en masse from Soviet Gulags in the 1980s, wider Russian society encountered Fenya for the first time. Fenya has since permeated government institutions, universities, the military, and even the police. Even Russian President Vladimir Putin has employed Fenya on occasion. For instance, he used the phrase “Ваше место у параши” (vashe mesto u parashi) = “Your place is by the slop bucket” to characterize the West’s treatment of Russia after the collapse of the Soviet Union as degrading. “Parasha” is a Fenya word meaning “slop bucket” or “open toilet”, which prisoners of the lowest ranks must sleep next to.
Although many Russian speakers are aware of Fenya’s existence, strong taboos surrounding its use mean that they are reluctant to admit to understanding it. Fewer still would want to use it — after all, it’s a criminal language. Prison authorities even banned the use of Fenya in jails in 2013. Lexicographers have also noted the difficulties in compiling Fenya dictionaries, due in part to its users’ aversion to outsiders. As a result, few credible resources are available for those who wish to learn it.
Fenya’s relevance to cybercrime
Fenya is everywhere on Russian-language cybercriminal platforms. It even made multiple appearances in the chat logs of the ransomware group Conti, which were leaked in February 2022. Despite its ubiquity, it’s hard to spot if you don’t know what you’re looking for. We’ve stressed the importance of understanding technical jargon before, and it’s a similar story here. Many words have a double meaning in standard Russian and Fenya, which causes problems for security researchers who copy Russian-language posts into machine translation software. This often results in a totally incorrect translation or misses a subtle nuance only visible to those familiar with Fenya and its speakers. Russian-speaking threat actors use Fenya in four main ways on forums: normalized terms used unwittingly, to impede researchers’ understanding, for credibility and legitimacy, and for authority.
A few Fenya words have become so widespread and normalized on Russian-language cybercriminal forums that many will not even recognize them as Fenya and may believe they are simply community terms. For example, халява (khalyava), meaning “giveaway”. This word of Hebrew origin appears in titles of forum sections in which users freely share useful items such as mail:pass combolists, email leads, and stolen identity documents.
Another important term is мусор (musor). In standard Russian, this means “trash, garbage”, but in Fenya, the word means “cop, police”. So when one forum user asked “форум мусорской?” (forum musorskoy?) they were not inquiring about the quality of the platform’s content. Instead, they were asking whether law enforcement had infiltrated the forum. Other crucial Fenya words are бабки (babky) “money” and красный (krasnyy) “informant” (lit. red).
Forum users are keenly aware of the presence of security researchers on their platforms. Just as initial access brokers often refrain from naming their victims outright to make it harder for researchers to track, forum users may employ Fenya to make it difficult to follow their conversations. For instance, the Greek-origin term пиндос/пендос (pindos/pendos) was the name of a city and mountain range in ancient Greece. In Fenya it is a derogatory term for Americans often used to denigrate “Yanks” during discussions about Western law enforcement policies.
Fenya for credibility and legitimacy
Due to the anonymous nature of cybercrime, a threat actor’s reputation is everything on a forum. No one wants to deal with someone they can’t trust. Concerned for their operational security, many traders on Russian-language forums explicitly state that they do not work with non-Russian speakers, for fear of interacting with researchers or law enforcement. Using Fenya can help users add a bit of credibility to their online accounts. Given the difficulty of learning Fenya as a non-native due to the lack of widespread and up-to-date resources, using it may be one way of proving your Russian-ness. In addition to individual words, Fenya has a rich repository of idiomatic phrases, some of which have spread to colloquial Russian. A few cybercriminal favorites are:
- Лох не мамонт (lokh nye mamont) lit. “A sucker is not a mammoth” (it hasn’t gone extinct), meaning “there’s a sucker born every day”. This phrase is often used when discussing social engineering attacks and “the human factor”.
- Бог не фраер (он все видит) (Bog nye fraer (on vsyo vidit)) lit. “God is not a sucker (he sees everything)”. Patriotic or more compassionate Russian-speaking cybercriminals use this phrase to dissuade others from targeting Russian speakers or the vulnerable, as it means “you can’t cheat your conscience”.
- Зуб даю (zub dayu) lit. “I will give you my tooth”. This two-word combination is used when attempting to assert your trustworthiness, and comes from the criminal promise to provide a golden tooth to your debtor if you renege on a loan.
Yet it’s not enough to just learn a bit of Fenya and pepper your forum posts with this vocabulary. Despite its centuries-old history, Fenya is a constantly evolving institution, with new words added every year to keep up with changes in technology and culture, and old words changing in meaning or becoming obsolete. Forum users who want to appear credible must keep up to date. Recent additions include:
- Педаль (pedal’) lit. pedal, meaning “cellphone”
- Тачка (tachka) lit. “wheelbarrow”, meaning “car” in Fenya but used for “machine/computer/PC” on forums
- Чайник (chaynik) lit. “teapot”, meaning “big guy/bully” in Fenya but used for “novice, layman, beginner” on forums
Fenya for authority
In many ways, cybercriminals see themselves as a different breed from their offline counterparts: They inhabit a world where technical knowledge trumps your ability to fight, fire a weapon, or outrun the police. However, when convicted, black hats often end up in the same place as pickpockets, armed robbers, and murderers. Forum users pepper their posts with Fenya when discussing past or potential future stints in the зона (zona), “the zone”, Fenya for high-security prisons in Russia. Using Fenya in this context shows that you know what you’re talking about – that you are part of and comfortable around the extremely violent Russian prison culture. There’s an element of bragging in this, with forum members who have served time–or wish to give this impression–using elements of Fenya as “proof” of their authority to speak about prison experiences.
In instances like this, knowledge of Fenya and prison culture help researchers extract additional context. When discussing the Russian penitentiary system’s recent proposal to “hire out” convicted IT specialists from within Russian prisons, one user asked whether many IT specialists “на нарах парятся” (na narakh paryatsya). Machine translation software will tell you this phrase means “to steam on the bunk beds”, but the user was actually asking whether there are many IT specialists in Russian prisons. And there’s an additional nuance that is lost on the layman. Нары (nary) are the lowest beds in a Russian prison cell, closest to the slop bucket, reserved for the lowest ranks of the six castes in the Russian prison system. This user may be hinting that those convicted of cybercrime in Russian prisons will face a more difficult time.
We’ve barely scratched Fenya’s surface here, but hopefully you now have at least some understanding of its use and importance when researching the Russian-language cybercriminal scene. At Digital Shadows (now ReliaQuest), we understand that knowledge of the linguistic and cultural aspects of cybercrime is just as important as the technical when painting an accurate picture of the threat landscape for our clients. Just as cybercriminals are so keen to exploit it on their end, understanding the “human factor” is vital when trying to understand and defend against threat actors. After all, there is a human behind every attack. Understanding the real meaning behind their language helps to paint a clear picture of a threat actor’s intentions and motivations, which in turn helps defenders counter them.
If you’d like to know more about how threat actors communicate, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You can additionally get a 7-day free trial of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here and receive actionable alerts regarding cyber threat activity.