How and Why Russian Hackers Were Prosecuted in 2019
News about the arrests of cybercriminals in Russia appear in the media with impressive regularity. The headlines are loud, but they rarely explain what exactly the suspects are accused of or what crimes they committed. This article will tell you how cybercriminals are prosecuted in Russia and how strict the judicial system is with them.
In Russia, the main fighters against cybercrime are specialized divisions of the FSB and the Ministry of Internal Affairs. They initiate criminal cases, which are then sent to court for a verdict. To assess the effectiveness of combating computer technology crimes, I analyzed court decisions from 2019 related to hacker articles of the Criminal Code, based on open data. These records are published online in accordance with Federal Law No. 262-FZ “On Ensuring Access to Information on the Activities of Courts in the Russian Federation.” In some cases, the texts of court decisions were missing (without explanation) and were not included in this study.
Attacks on Government Information Infrastructure
You may have seen news headlines like “Hacker Sentenced for Attempting to Hack Government, Administration, or Ministry Website.” Such headlines, with words like “hacker” and “hacked,” create the impression of a seasoned criminal, but that’s not always the case.
The typical scheme: the perpetrator installs hacker software on their computer and attacks remote servers, sometimes hitting government resources. Three main types of attacks are noted: SQL injection, Bruteforce, and DDoS. According to court decisions, the following malicious programs were used: ScanSSH, Intercepter-NG, NLBrute 1.2, RDP Brute, Ultra RDP2, sqlmap, Netsparker, and SQLi Dumper.
Many court decisions mention that attacks were carried out from real IP addresses, making it easy for law enforcement to identify and prove the suspects’ involvement.
Outcomes of Cases Involving Attacks on Government Infrastructure
- Real prison term – imprisonment for a set period.
- Other penalties – any punishment not involving actual imprisonment.
- Case dismissed – due to reconciliation, a court fine, or active repentance. The person is not considered convicted.
Such attacks rarely lead to actual system breaches and are usually committed by “beginner hackers.” This explains the relatively “soft” sentences: out of 27 cases, only three resulted in real prison terms (for repeat offenders). Thirteen received other penalties, and ten cases were dismissed.
An interesting case involved a prisoner who, while serving time, was given access to a computer for official tasks. He found a database of inmates, copied it, and used programs like IPScan, Intercepter-NG, and NLBrute 1.2 to attempt further hacks. The low level of information security in the prison’s security department is surprising.
Theft of Money
In the 21st century, money is stored not only in banks but also in electronic payment systems. Cybercrimes involving theft are considered highly dangerous, so the punishment is stricter.
Outcomes of Cases Involving Theft via Computer Attacks
ATM Hacking
In 2019, there were three court decisions on ATM hacking. The most publicized involved the international Cobalt group, where two “mules” were convicted for helping steal 21.7 million rubles from a Yakutian bank. The hackers used fake Microsoft support emails to gain access, escalated privileges, and sent commands to ATMs to dispense cash. The two brothers received 6.5 and 5.5 years in prison. They had already handed over most of the stolen money to the organizers, keeping 2 million rubles to compensate the bank.
In another case, a group of four broke into ATMs, connected to USB ports, and used the Cutlet Maker malware to dispense cash. A remote accomplice activated the program and took 30% of the loot. Only one attempt was successful, with 250,000 to 1 million rubles stolen. Sentences ranged from 1 year 7 months to 4 years in prison.
The third case was similar: one person used Cutlet Maker to steal about 4 million rubles from an ATM and was caught during a second attempt. He received four years in prison.
All these cases involved low-level group members—more “thieves” than “hackers.” The masterminds remained out of reach.
Android Trojans
Two notable cases: In one, a convict created and distributed an Android trojan from prison, stealing money from victims’ bank cards. In another, a member of the TipTop group in Chuvashia helped spread banking trojans disguised as apps, stealing card data and money. He received a two-year suspended sentence. In most cases, only low-level participants—uploaders and droppers—were prosecuted.
Phishing
One cybercriminal used phishing to steal email accounts from auto parts stores, then sent fake invoices to customers, stealing about 3.5 million rubles. He received 4.5 years in prison. In another case, a criminal used fake banking app pages to steal 14,800 rubles and received a suspended sentence. A Voronezh resident who offered hacking services for 2,000–5,000 rubles also received a non-custodial sentence.
Carding (Goods Fraud)
The defendant hacked user accounts on sites like amazon.com and bought goods, reselling them on hacker forums for 60–70% of their value. He used a Russian hosting provider’s virtual server and received a restricted freedom sentence.
Ransomware
Despite the prevalence of ransomware, only three court decisions were made in 2019. In one, a hacker brute-forced Russian company servers, encrypted 1C databases, and demanded 3,000 rubles for decryption. He received a suspended sentence. Another case involved encrypting 1,835 foreign computers using RDP Brute and mimicatz, with the hacker earning nearly 4 million rubles in bitcoin. He received a seven-month suspended sentence and a 100,000 ruble fine. In the third case, hackers encrypted servers of a critical infrastructure company and received two-year suspended sentences.
Bughunting Gone Wrong
In Balakovo, a local hacker used Private Keeper to hack online store accounts, threatened to leak data, and demanded up to 250,000 rubles. He also stole bonuses from utility payment sites. Due to his young age and health, he received a 3-year 3-month suspended sentence. Again, this was a case of a low-skilled user with a computer and internet access turning to cybercrime.
Services
Malware Distribution
Ads for malware sales are common on hacker forums and Telegram channels. Experienced sellers use anonymization or intermediaries to avoid prosecution, so usually only beginners are caught. The damage is minor, so sentences are lenient.
Outcomes of Malware Distribution Cases
In five cases, hidden miners, software activators, and brute-force tools were distributed via Telegram. In another, a RAT was sold for 1,600 rubles. All received non-custodial sentences. However, the admin of the “Dark Side / Manuals / Schemes” Telegram channel, already on probation for fraud, received three years in prison for distributing various hacking tools.
Stealers
One criminal stole at least 42,371 password and credit card archives, planning to sell them for over 4.5 million rubles but was caught. He received a two-year suspended sentence. Another posted YouTube videos with stealer links disguised as game patches and received a restricted freedom sentence.
Web Shells
One person sold web shells and brute-force software, but was caught selling to an undercover FSB agent. He received a restricted freedom sentence.
Selling Account Credentials
Criminals brute-forced popular online service accounts and sold them. Two received restricted freedom sentences, and one case was dismissed with a 10,000 ruble fine.
Copyright Infringement
This is the most common article used to prosecute IT specialists. Guilt is easy to prove, often with a test purchase.
Outcomes of Copyright Infringement Cases
Bypassing Licensed Software Protection
Test purchases were made for expensive software installations, such as Compass-3D, ArchiCAD, AutoCAD, Microsoft Office, and Windows. Offenders received 700–5,000 rubles per installation. In half the cases, the sentence was replaced with a court fine. However, if the software’s value exceeded a million rubles, stricter penalties, including suspended sentences, were imposed.
Game Consoles and Online Games
Some defendants bypassed Sony PlayStation protection to resell consoles. One received a restricted freedom sentence, another a one-year suspended sentence. In a case involving the game R2 Online, the defendant disabled protection and received a 100,000 ruble fine after the case was dismissed.
Cryptocurrency Mining
Two employees of the Russian Federal Nuclear Center used company computers to mine cryptocurrency, causing 1,087,448 rubles in damages. One received 3 years 3 months in prison and a 200,000 ruble fine; the other got a four-year suspended sentence and a 250,000 ruble fine.
Conclusions
The Russian judicial system is relatively lenient with cybercriminals. Real prison terms are given to those involved in socially dangerous crimes like theft or repeat offenders. Often, cases are dismissed with a court fine, sparing beginners from a criminal record and future employment issues.
As for catching serious cybercriminals, usually only mules, droppers, and cashers are prosecuted, while the real organizers avoid punishment. The only successful example of dismantling a hacker group is the ongoing case against the Lurk group.
IT specialists are often prosecuted for installing unlicensed software, which, given the low danger, would be more fairly handled with a fine rather than a criminal case.
Hacking and malware tools are becoming more accessible, so we can expect even more sensational headlines about the capture of “dangerous hackers,” who in most cases turn out to be ordinary users or script kiddies far removed from real IT expertise.