All Was Quite Before the Storm

All Was Quite Before the Storm

Around late January, early February, a set of peculiar events occurred that sent shockwaves of concern through the MindWise team. We began receiving notifications that our Modular Analytics Engine, the core of our platform that gathers Dark Web intelligence, had lost access to several illicit marketplaces and forums.

MindWise has not unwillingly lost an avenue for intelligence gathering since our very earliest stages while we developed our technology and techniques to ensure redundant, reliable access to secure marketplaces and forums. Team members tried to access these locations on devices not affiliated with MindWise but to no avail. This was, frankly, terrifying, as it may have indicated that not only had the dangerous cybergangs hosting the markets discovered MindWise, but somehow linked our individual identities and personal computers to MindWise. However, after conducting more research and tests (and checking our personal bank accounts for fraud), we discovered that our access to the marketplaces and forums had not been revoked; rather, the Dark Web sites had ceased to exist.

Unfortunately, it is unlikely that the shutdown of these marketplaces and forums, which sell and discuss how to illegally obtain sensitive information like Social Security Numbers,  will result in less fraud. In a similar fashion to when Joker Stash, the largest illicit marketplace during its lifespan, was closed, compromised information will be distributed and sold across other, smaller marketplaces. It is feasible, if not probable, that this will actually lead to more fraud since many companies, unlike MindWise, only appear to monitor the largest illicit markets. With stolen personal data being brokered across a wider range of auction locations, only companies like MindWise, who employ widespread surveillance, will detect this hijacked data, while the rest slips through the cracks.

The sites we lost access to were primarily Russian hosted markets and forums which are usually quite “stable” and “reliable” locations. This is because the Russian government gives a lot of leeway and tolerance to illegal cybercrime groups and their operations so long as they are not targeting or hurting Russian citizens and organizations. Knowing this, it seemed more likely that a competing cybercriminal organization may have taken out the marketplaces. However, it didn’t take long for us to find chatter and confirming articles that a Russian Federal Security Service (FSB) lead taskforce, was responsible for taking the markets down. The targeted cybergangs were notorious for collectively inflicting billions of dollars of financial loses on foreign targets, usually Americans, but to our knowledge had never been involved in activities against Russia. This made the entire satiation perplexing.

In another unforeseen twist, the FSB crackdown on Russian cybergangs was conducted at the request of Europol and the Biden Administration. This type of collaboration, while common between the USA and many EU countries, is almost unheard of with Russia making the circumstances even more outlandish. That is, until we considered the greater geopolitical landscape; namely, the hundreds of thousands of Russian troops, armor, artillery, and supplies currently amassing on the Ukrainian border-bringing international tensions to Cold War Era levels. While the connection between the two isn’t immediately apparent, the timing of the FSB’s atypical behavior is hard to ignore.

It will be nearly impossible to confirm Russia’s true intentions behind their sudden cooperation, but conjecture brings us to several plausible theories. The most obvious is that Russia wanted to create bargaining chips for themselves to use in the diplomatic showdown they anticipated would occur upon the execution of their invasion plans. After all, Russian cybercriminal organizations are responsible for billions of dollars of international losses each year, making the prospect of Russian collaboration to fight cybercrime very appealing.

It seems fairly certain that this was a component of their motivation to move against Russian based hacking groups, but I believe there are more strategic goals at play. It is well known that hackers typically instantiate the “anti-establishment” architype, so much so that many cybercrime groups conduct advanced operations that yield no financial gain. These types of groups are frequently called “hacktivists”, a combination of hackers and activists, since their activities aim to promote and are only motivated by their ideals. A domestic organization of this type can quickly change from a benign league of programmers to a serious national security threat almost instantaneously should a state act contrary to the ideals held by the hacktivist coalition. The Russian government surely kept this in mind as they planned their future conquest. By suppressing these groups prior to their military actions, the government was able to limit their exposure to domestic-born cyber retaliation and seal communication channels that could potentially be used for espionage.

Another beneficial result of the crackdown is that the FSB has delivered a swift, powerful reminder to Russian Cybercrime groups that they are permitted to exist and operate only as long as the Russian government allows it.  This leverage may have been used to push cyber organizations to cooperate with the Russian government during the ongoing cyberwar, and we have already observed several groups pledge their allegiance and service to Russia. I also wouldn’t be surprised to learn that many of the arrested hackers are working for the government from a jail cell to mitigate their own punishment, but that is purely speculative.

It’s hard to say if these theories are correct, and we will likely never know. It’s nearly impossible to decrypt the inner workings of a foreign government and understand a foreign population, and this is only amplified when dealing with clandestine groups like hackers. However, what is clear is that Cyberspace and the Dark Web are now unquestionably connected to geopolitics.

Please read Russia, Ukraine, and the Impending Cyberwar Part 1 and Part 2, coming soon, to learn even more about how cybersecurity is intertwined with today’s current events and what it means for us.  

Written by,

Tobin Shea

Co-Founder and CEO