WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
As a threat intelligence professional, it’s difficult to ignore how major developments in the real world affect the lives of cybercriminals. In 2020, threat actors saw instant success when executing COVID-19-themed social engineering campaigns after the onset of the pandemic. In 2021, we saw an unprecedented shift in the cybercriminal landscape after the Colonial Pipeline attack and the swift backlash against ransomware operators that followed. In the first quarter of 2022 alone, the Russia-Ukraine war has affected cybercriminals’ livelihoods, forcing many difficult financial choices and even displacing some from their homes. On top of this, a series of recent law enforcement takedowns has resulted in the closure of two dark web juggernauts – the Russian-language drugs-focused marketplace HYDRA and the popular English-language cybercriminal forum RaidForums.
With so many significant developments shaking the foundations of the cybercriminal underground, especially for Russian-language cybercriminals, it feels like the next chapter in Russian-language cybercrime is inextricably tied to today’s headlines. This blog explores how current events are shaping the Russian-language cybercriminal scene and how some Russian-speaking cybercriminals are responding to a changing threat landscape.
Russia is no stranger to economic hardships in modern times. The nineties were filled with turmoil for Russia as it attempted to adjust to the post-Soviet era and a market-based economy. In 1998, the country suffered an infamous economic crash that presented an unusual opportunity for a new generation of Russians – cybercrime. Could the punitive sanctions following Russia’s invasion of Ukraine lead to history repeating itself and inspire a new generation of cybercrime? While we can’t say for certain, what we do know is that the economic disruption in Russia has already spilled over into Russia-based threat actors’ lives, as we have witnessed on several Russian-language cybercriminal forums.
On one platform, in a thread discussing sanctions against Russia, one user remarked that “many of us save our money not only in cash, but also in crypto, stocks and other valuable currencies.” They noted that “many stocks have fallen by more than 35% (mostly Russian),” and asked whether they should pull their money from their investments.
In the same thread, another user commented that the “situation with America” is “tense,” adding: “I thought of converting my small savings in dollars into rubles and throwing them into the bank for interest, but inflation is a bit**, and the dollar has not grown much over the past 3 years.” This is only a fraction of the overwhelming sentiment among Russian-language cybercriminals that the war is impacting Russia’s economy.
Conversely, some Russian-speaking cybercriminals are eager to capitalize on new business or investing opportunities, rather than bemoaning the economic situation. On another Russian-language cybercriminal forum, one user doubled down on long-term investments in Russia, forecasting that Russia would eventually bounce back from sanctions and the Russian government would buy back shares of Russian companies’ stock to buoy the economic recovery. The same user later indicated their interest in purchasing alternative investments in cryptocurrency (not surprisingly) and betting on commodities, such as oil and metal.
On 05 Apr 2022, news broke of a joint operation by German and US law enforcement authorities that resulted in the closure of HYDRA, formerly the world’s largest dark web marketplace with around 2.5 million users. HYDRA mainly focused on the drugs trade but also hosted a sizable selection of digital goods, such as fake passports, SIM cards, counterfeit cash, VPN subscriptions, and cashing out services. Listings on the platform indicated that Russia-based criminals used the site as a digital highway to coordinate illegal drugs trafficking throughout the country, e.g., dedicated sections for drug drops in named Russian cities. The marketplace functioned as its own internal economy, featuring advertisements for jobs for “dropmen,” drivers, and “chemists” involved in all facets of the drug trade.
Since HYDRA was such a staple in the Russian drug community for so long, many of its former members will likely be looking for a new marketplace. This is not an entirely unfamiliar experience: Russian-language cybercriminals have dealt with their share of drug-focused marketplaces closing in the past. In fact, HYDRA was actually created circa 2015 to meet a demand for illicit substances while other Russian-language marketplaces were on their last legs.
On 25 Feb 2022, the prolific English-language cybercriminal forum RaidForums became inaccessible for unknown reasons, prompting speculation that law enforcement agencies had compromised the site. More than six weeks later, on 12 Apr 2022, the US Department of Justice announced the seizure of RaidForums’s main and mirror domains.
After a seven-year stint, and with more than 500,000 members on the site before its takedown, RaidForums’s departure has left a sizable gap in the cybercriminal forum arena. RaidForums was a haven for financially motivated cybercriminals, dedicated to enabling the trade and sharing of illicit information and content, including account credentials, databases, and network access credentials/instructions.
Although RaidForums was a predominantly English-language forum, its users spanned the globe. Many of its members also had accounts on prominent Russian-language cybercriminal forums. These forums’ database sections attracted members who wanted to re-share or repurpose stolen or leaked databases gathered from RaidForums. It is realistically possible that these Russian-language forums may see an influx of former RaidForums members.
Shortly after RaidForums’s issues began in February 2022, one user of a Russian-language forum expressed concern that their forum would face the same fate as RaidForums. The user stated: “If RF was seized by authorities, they would come looking for other forums as well.”
In a thread discussing RaidForums’s closure, the representative of the Lockbit 2.0 ransomware group sought other users’ opinions on creating their own “pirate bay” forum that would have no “prohibitions, censorship, and rules”. The representative asked users to “like”or “dislike” their post to show whether they were for or against the idea.
With so many threat actors displaced from cybercriminal platforms, a mass exodus to alternative sites is likely underway. After all, cybercriminals still have bills to pay… especially those in Russia facing a grim economic outlook.
With HYDRA out of the picture, cybersecurity researchers have observed vendors previously active on the drugs marketplace relocating their activities exclusively to Telegram. In addition, the established, Russian-language marketplace MEGA has a strong chance of emerging as the go-to marketplace for former HYDRA users because it also serves a diverse demand for illegal items. Its vendors sell illicit substances and digital goods, including databases, carding and counterfeit-related products, ready-to-use hacking software, and social media accounts. From 2021 to 2022, MEGA’s user base increased by approximately 1,700; it will likely continue to grow in HYDRA’s absence.
On 16 Mar 2022, a prolific, well-respected user of Russian-language forums and a former RaidForums member introduced a potential successor to RaidForums called BreachForums. Although still very much in its early stages, BreachForums has the potential to become a proper replacement for RaidForums. At the time of writing, the site has more than 5,000 members and counting. Some of the newly registered usernames on BreachForums are identical to those used on Russian-language cybercriminal forums, which is a good general indicator that cybercriminals have likely migrated to the new platform. BreachForums has nowhere near the user base and popularity of RaidForums, but it has some advantages that could enable it to grow: providing incentives to former RaidForums users, appearing and functioning similarly to RaidForums, and having an administrator who is a well-known and reputable former RaidForums user.
While MEGA, BreachForums, and Telegram appear to be early favorites for adoption by some Russian-language cybercriminals, existing and well-established Russian-language forums will likely see an influx of some of these displaced individuals. Despite major law enforcement successes, cybercrime will almost certainly remain prevalent on these alternative platforms. We may also see increasing numbers of Russia-based cybercriminals compelled to pursue more financially-motivated cybercrime in response to the sanctions’ effects on Russia’s economy.
Digital Shadows (now ReliaQuest) tracks hundreds of marketplaces and cybercriminal forums, as well as over 75 ransomware data leak sites. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.