Crypto Payment Among Russian Dark Web Users Tripled Since the War

Following Russia’s invasion of Ukraine, the United States, Canada, the United Kingdom, and the European Union moved to bar 7 Russian banks from the Swift, the world’s largest financial messaging system.

Shortly after the move, the Russian currency, the Ruble, plummeted by nearly 30%, leading local civilians to queue at ATMs and ushering in a new era of shortages across the country.

The fall of the Russian currency left many to wonder whether Russians will turn to cryptocurrencies for an answer. Recent figures released by Coin Metric showed a slight increase in the number of people moving funds to new digital wallets that hold cryptocurrencies.

Can this trend be seen on the dark web?

Cryptocurrencies are widely used on the dark web. The anonymity crypto transactions provide have long been used by threat actors, including Russian hackers. But our cyber team set out to find whether the war and the recent sanctions have led more Russian threat actors to use cryptocurrencies in the deep and dark web.

Has there been an increase in the use of crypto by Russian cybercriminals since the war?

According to blockchain research firm Arcane Research, the USDT/RUB (Tether/Russian ruble) trading volume on February 28 broke a new record with $34.94 million. 

Using our dark web feeds, we have seen a similar trend forming since the start of the war and the introduction of the SWIFT ban. One of the more staggering figures we could find is that the number of Russian posts using crypto wallets for trading has tripled since the beginning of the war.

We found several posts published by cybercriminals who use crypto since the start of the war.

The use of crypto by Russian cybercriminals on the deep and dark web

While examining the type of content related to crypto since the war, we were able to find a bigger number of illicit posts that list crypto coins along with an increase in crypto-related discussions on the dark web.

Example #1: Russian threat actors collecting crypto bounty for assassination of Russian President Vladimir Putin

In the post below you can see a group of russian threat actors who collect crypto bounty on the dark web hacking forum Verified, which they claim will serve to pay Russian Federation officers who will be willing to assassinate Russian President Vladimir Putin. They are asking to transfer the funding to three different crypto wallets – BTC, ETH, USDT.

Example #2: A Russian threat actor is offering crypto for ransomware

In the post below, a Russian threat actor is looking for “undetectable ransomware” via the Russian hacking forum XSS. He is offering to pay 1,000 USDT crypto coins for it.

Example #3: Crypto payment for illegal money transfers

A Russian threat actor is looking for people to cash money, along with selling bot services on the same group on Telegram. The payment for these services is done in crypto.

Russians mentioning crypto in discussing about the crisis in the dark web

Not all discussions we found of Russian threat actors who trade in crypto involve illicit topics. Some of them are written by new dark web users or old inactive users who are using the deep and dark web to make a living in the midst of an ongoing war. Others are using crypto wallets to fundraise for donations.

The next example is taken from Telegram, where a Russian posted a status on the rise in the use of popular cryptocurrencies such as USDT/ETH/BTC/LTC as a result of the ongoing crisis.

In one part of the post, he writes: “This is not a call to run and buy crypto, this is a recommendation to consider providing a payment option to your customers that will definitely be used.”

You can find another example in the post below. The aim of the post is to raise donations to support the army of Ukraine on Russian dark Telegram groups. In it, they are asking for funds to be sent to BTC, ETH, USDT and TRC accounts.

Other mentions of crypto by Russian deep and dark web users include general discussions on the crisis.

Dark web discussions regarding the economic crisis in Russia

Our cyber team has seen countless mentions of cryptocurrencies as part of a general discussion on the economic crisis in Russia. Many of these discussions took place across the dark web, including several non-Russian sources, on hacking forums, paste sites and chat applications. 

The main topics of discussions included: 

• The SWIFT ban imposed on 7 Russian banks
• The use of crypto coins as one of the most popular monetary alternatives during this time of emergency
• Discussions among Russian who are leaving the country and look for ways to secure their financial situation amid times of economic and technological uncertainty

Below are two examples of discussions on the Russian forum XSS and Dread, both are popular hacking forums, regarding the collapse of the Russian economy: 

In the next post, Russian and Ukrainian members of a hacking forum are asking for donations to their crypto wallets. Their request was posted on the known Russian hacking forum vlmi.io. The original post was removed from the forum but we are able to show it by using our Cyber API.

The translation of the post into English reads: “Hello everyone, there is a small city in Ukraine. Now in occupation. We need funds, if anyone can help, here is the bitcoin wallet XXXXXXXXXXXXXXXXX The funds will be used to buy food and help children, orphans, and pensioners. Binance has removed the withdrawal fee.”

Our dark web research has revealed that although cryptocurrencies have been widely used by dark web users, and more specifically by threat actors, we have seen the start of a new trend since the start of the war. A greater number of Russian and Ukrainian dark web users are using and discussing cryptocurrencies as means to survive the impact of the war between Russia and Ukraine.