Recent takedowns lead to arrests
On February 7 and 8, the domains of several well-known Russian-language illicit communities—Ferum Shop, Sky-Fraud, Trump Dumps, and UAS—were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses primarily on information technology-related crimes.
In addition to seizing the domains, Russian authorities arrested Artem Alexeyevich Zaytsev and at least five other individuals. Artem Zaytsev appears to be the CEO of Get-Net LLC—the registrar for Sky-Fraud, Trump Dumps, UAS, and Ferum—and is connected to a range of other businesses in the Russian cities of Perm and St. Petersburg, including a loan provider.
A growing concern
Threat actors are concerned about their future, as these takedowns have also fueled an already ongoing discussion about potential law enforcement takeovers of other major cybercrime venues. At the center of this conversation are Russia’s two main bodies for dealing with financial and cybercrimes, the Federal Security Service and Ministry of Internal Affairs’ (MVD) Department K.
While their roles are different, they have both significantly affected the cybercrime landscape in Russia and how it will evolve. In the wake of the recent arrests, Flashpoint analysts explain the main differences and similarities between the FSB and MVD’s Department K, plus what their roles might mean for the future of the cybercrime landscape.
What is the FSB?
The Federal Security Service (FSB) reports directly to the president of the Russian Federation. The FSB’s main responsibilities are overseeing Russian national security, counterterrorism, border protection, information security, counterintelligence, and the protection of territorial waters, Russia’s exclusive economic zone, and its natural resources.
The FSB is primarily a domestic security agency. However, in recent years it has gradually increased its influence over Russia’s domestic politics, mainly through its competencies to investigate white-collar crime (FSB Economic Crimes Service, of which the “Directorate K” investigates financial crimes).
Though the agency’s focus is primarily domestic, it is occasionally also active beyond Russia’s borders. The FSB specializes in countering foreign interference in internal affairs and preventing activity that could undermine any area of the state’s defense capabilities. These blurred lines have led to accusations of international cyberattacks and assassinations carried out by the FSB.
Read more: The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling
The agency has also been active in major cybercrime investigations that are considered to be matters of national security—such as transnational cybercrime operations. Recent examples include the January 2022 arrest of the members of the ransomware collective “REvil” as well as the takedowns of the shop UniCC in 2022 and of several credit card shops in 2020.
What is the MVD?
The Ministry of Internal Affairs (MVD) is the federal executive authority of the Russian Federation. Headed by a minister appointed by the president of Russia, the MVD oversees internal troops and the police, whose tasks are to maintain law and order and suppress offenses on the territory of the Russian Federation.
The formation is primarily responsible for crime prevention and control, drug control and migration affairs. It is a paramilitary organization that has the right to acquire military small arms for its personnel. The activities of MVD are regulated by the Code of Criminal Procedure of Russian Federation.
What is Department K?
Department K (short for Kompyuternye Prestupleniya, or computer crimes) is a division of the MVD that has been active since 2001 and focuses primarily on information technology-related crimes.
According to the official information on the MVD website, Department K is responsible for addressing crimes such as:
- Unlawful access to legally protected information
- Creation, use, and distribution of malicious programs
- Violation of the rules for the operation of storage media
- Information technology-related fraud
- Production and distribution of pornographic content directed against minors
- Illegal use of objects of copyright
FSB Vs. MVD’s Department K
In general, the FSB as an authorized agency is much more influential than the MVD. Because it reports directly to the president of the Russian Federation, it requires a smaller degree of accountability compared to the MVD.
The MVD, including Department K, has a broader structure than the FSB. While the FSB addresses tasks at a national scale, the MVD is involved in more local and generalized tasks, with Department K specifically focused on technology.
Impact on illicit communities
The recent takedown of the card shops has fueled already existing speculation among Russian-speaking threat actors about the possible takeover of other prominent sites by law enforcement. Threat actors have long theorized that various cybercrime communities and groups have already been taken over by law enforcement.
A Telegram user in a chat group about the information stealer “Redline” noted that the drug marketplace “RAMP” (Russian Anonymous Marketplace) was taken down by law enforcement in 2017, after which Hydra became the dominant Russian-language market, which it still is today. Others suggested that if new card shops emerged after the takedowns of Ferum, Trump’s Dumps, and UniCC (which was taken down by the FSB), they would be suspicious that these new sites are run by law enforcement.
Threat actors call for protection
In 2019, threat actors speculated that the top-tier forum Exploit had been taken over by Ukrainian law enforcement after the seizure of some of the forum’s servers. Since November 2021, there has been an ongoing dispute on the top-tier Russian-language forum XSS over whether the administrator of the ransomware-focused forum RAMP (Ransom Anonymous Marketplace) is a police informant.
Related reading: REvil Continues It’s Reemergence, Joins Groove-led RAMP
The conversations align with the widely held view that threat actors running major cybercrime operations need to have a “krysha” (“roof”—that is, protector) in law enforcement. In November 2021, various threat actors operating on XSS claimed that the FSB’s Information Security Center controlled the “shadow IT market” of illicit services, and there is evidence in online communities suggesting that the FSB has been actively recruiting present and former cybercriminals.
Detect, prioritize, and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.