Russian ransomware gangs account for 69% of all ransom proceeds

Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000.

This number is from TRM Labs, a blockchain intelligence and analytics firm specializing in crypto-assisted money laundering and financial crime.

North Korea is the leader in stealing cryptocurrency through exploits and breaches, having stolen over a billion dollars in 2023. Asia also remains the leader in scams and investment fraud

However, Russians reportedly dominate all other malicious activity involving crypto.

Dominating cybercrime

In a report TRM published yesterday, the firm explains that Russia-based cybercriminals enjoy the lion’s share of illicitly gained cryptocurrency.

“Russian-speaking threat actors from across the former Soviet Union consistently drive most types of crypto-enabled cybercrime, from ransomware to illicit crypto exchanges and darknet markets,” explains TRM.

Ransomware is a form of cybercrime in which attackers steal and encrypt data on compromised systems and then demand a ransom payment in exchange for a decryption key and a promise to delete the stolen files.

In 2023, the largest players in this space included LockBit, Black Basta, ALPHV/BlackCat, Cl0p, PLAY, and Akira, all run by Russian-speaking threat actors.

The ransomware landscape constantly changes, with ALPHV/BlackCat now shut down, and LockBit seeing diminished activity since its disruption by law enforcement.

However, new groups are filling the void, such as RansomHub, which has quickly grown to become one of the most active ransomware gangs.

TRM says LockBit and ALPHV alone collected cryptocurrency ransom payments of at least $320,000,000 during 2023, while all Russian ransomware proceeds surpassed $500 million.

This is over two-thirds of the total, leaving a share of just 31% of ransomware groups from other countries worldwide.

TRM reports that Russian-language darknet markets sell various illicit items and services and account for 95% of all sales of this kind recorded globally.

In 2023, the three largest Russian dark web markets handled $1.4 billion in transactions, whereas the Western markets reached a total of $100 million over the same period.

Russia is also dominant in money laundering, with TRM claiming that the Russia-based Garantex alone accounted for 82% of cryptocurrency handled by sanctioned entities worldwide. The US sanctioned Garantex in 2022 for allegedly helping launder illegal proceeds for the Hydra dark web marketplace.

“At least some of this volume represents cryptocurrency sent by Russian-speaking actors to sanctioned Chinese manufacturers to purchase military equipment and critical components used by Russian forces in Ukraine,” explains TRM in the report.

“This equipment includes commercial UAVs, anti-UAV equipment, thermal optics, integrated circuits (ICs), GPS modules, and tantalum capacitors critical to the production of Russian weapons systems.”

Since the start of the war in Ukraine, TRM has recorded a flow of $85,000,000 from Russia to Chinese firms making weapons or related equipment.

The blockchain analytics firm believes Russians’ disproportionate involvement in cybercrime can be attributed to a combination of historical, regulatory, and normative issues pushing skilled Russians toward that space.

At the same time, the political isolation of Russia from the Western world has exacerbated the challenges of tracking, disrupting, and arresting Russian cybercriminals.

The current situation has effectively reduced the risks associated with cybercrime activities, while the potential for high profits remains attractive.