The Russian government has shifted its stance toward cybercriminal groups, evolving from passive tolerance to active management, according to a report by the cybersecurity firm Recorded Future. Previously known for allowing cybercriminals to operate unchecked so long as they did not target Russian interests, authorities are now exercising increasing control over these networks.
According to the report, the change began around 2023 as pressure from international law enforcement actions mounted. Russian intelligence and law enforcement services now recruit or co-opt cybercriminal talent when it aligns with state interests, tolerate activity that serves geopolitical objectives, and step in to disrupt or suppress groups that become embarrassing or politically inconvenient.
One of the markers of this shift has been high-profile arrests and seizures that seem choreographed to reinforce state control. For example, after the international takedown of services such as Cryptex and UAPS under Operation Endgame, the Russian government announced investigations into those platforms, arrested nearly 100 individuals, and seized roughly $16 million in assets.
Analysts say these actions are less about dismantling harmful groups and more about managing the ecosystem, targeting cash-out and enabling infrastructure while preserving threat actors that furnish intelligence or disruption capabilities.
The report emphasises that the model is selective rather than comprehensive. Cybercriminal groups whose operations align with the Russian state’s aims continue to operate with relative impunity, while those judged to be a liability are targeted. Leaked chats from groups such as Conti and TrickBot reportedly confirm links between senior operators and Russian intelligence services.
Meanwhile, the cybercriminal underground itself is adapting, increasingly favouring decentralised operations and closed recruitment to evade disruption.
For organisations and governments outside Russia, the shift carries important implications. The blurring of the line between state-sponsored activity and criminal enterprise means that attacks may become more persistent, better resourced, and harder to attribute. The report suggests that many organisations, especially in Europe, should prepare for a threat landscape where criminal groups are indirectly backed or tolerated by state actors.
At the same time, experts caution that the new model does not equate to Russia cracking down on cybercrime across the board. Rather, it represents a governance model, one where certain elements of the cybercriminal ecosystem are regulated or tolerated depending on state interest.
As the relationship between criminals and state actors continues to evolve, cyber-defenders may need to revisit assumptions about threat attribution and risk models. Understanding whether a threat actor is operating purely for profit or is being managed as a tool of state policy is increasingly relevant for defence and intelligence strategies.