Criminal-Patriotic Symbiosis: The synergy of intelligence agencies, cybercrime and quasi-activism has made Russia a world leader in cyber destruction

The Russian state has developed a full-fledged ecosystem of information and cyber influence, wherein propaganda media, specialised structures for conducting information and disinformation campaigns (such as Storm-1679 and Storm-1516, as well as the Pravda Network, which we previously detailed → Re:Russia: Manipulative Intelligence), intelligence services (FSB, SVR, and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, formerly GRU), and affiliated hacktivist and criminal cyber groups all interact. This is according to research by the International Institute for Strategic Studies (IISS). Within this ecosystem, researchers identified 51 organisations and mapped connections between them, though they note the actual number is likely higher. The Kremlin has thus created a sprawling network of cyber actors, where state and criminal interests are deeply intertwined and actions are effectively coordinated.

Some of the structures identified by the IISS (27) operate through technical means, engaging in cyber operations and espionage, and are coordinated by the GRU, FSB, and SVR. For example, APT44 (also known as Sandworm), affiliated with GRU Unit 74455, has since 2015 developed and deployed malware targeting critical infrastructure. This group is behind destructive software such as BlackEnergy, Industroyer, NotPetya and CaddyWiper. Another group, APT28 or Fancy Bear, also linked to the GRU, has been actively involved in cyber espionage. It was recently caught spying on foreign embassies in Ukraine and state institutions in Central Asia. The same group was implicated in Russia’s failed attempt to infiltrate systems of the Organisation for the Prohibition of Chemical Weapons following the Salisbury poisonings in 2017. In May 2025, the US Department of Defense, in coordination with European intelligence services, issued a warning about an APT28 cyber campaign targeting dozens of Western enterprises operating in the logistics (maritime, rail, aviation) and technology sectors. The campaign appears aimed at supply chains supporting Ukraine.

Patriotism, hacktivism and their ‘masks’

In addition to the groups formally embedded within the intelligence services, Russian authorities patronise a network of hacktivist, quasi-hacktivist, and criminal cyber groups, according to IISS experts. Hacktivism involves the use of cyber technologies to promote political or social causes, where attacks and breaches serve as tools of protest or exposure. The most famous examples include WikiLeaks and the Panama Papers. Hacktivists may hack and leak classified information to expose wrongdoing or defend free speech. However, authoritarian regimes may exploit or simulate hacktivism to pursue manipulative objectives.

The GRU has utilised such groups and hacktivist 'masks' for cyberattacks since 2014, with activity intensifying after the launch of the full-scale invasion of Ukraine. The pro-Russian hacktivist group CyberBerkut, linked to the GRU, carried out DDoS and hack-and-leak operations against Ukrainian government sites and media during the annexation of Crimea. Evil Corp, a group specialising in developing and distributing malware (notably ransomware), attacked NATO’s digital systems under direction from the FSB.

In general, patriotic or coerced hackers and hacktivist groups play a crucial role in Russia’s cyber warfare doctrine. As with broader Russian public discourse, it is nearly impossible to determine where genuine 'patriotism' ends and coercion begins. Nonetheless, such groups, with their experience in social manipulation and campaigning, are capable of mobilising both real users and vast bot networks for DDoS attacks.

In 2007 in Estonia and in 2008 in Georgia, participants in DDoS attacks were recruited via pro-Russian online forums. By 2014, during the invasion of Crimea, the GRU began using pseudo-hacktivist groups like CyberBerkut for DDoS operations. With the start of the full-scale invasion in 2022, pro-Russian hacktivist entities expanded their operations, conducting both hack-and-leak campaigns and DDoS attacks. Hacktivist groups such as the Cyber Army of Russia Reborn and XakNet, which claimed responsibility for hack-and-leak operations, were in fact front organisations tied to APT44, a GRU-affiliated unit. These groups publicly declared their cyberattacks and motivations and disseminated stolen documents, mimicking the behaviour of genuine hacktivists. This approach allowed Moscow to maintain plausible deniability for an extended period.

Cybermafia state

Finally, Russian intelligence agencies have established an effective working relationship with outright criminal cyber groups, according to the IISS report. For example, Cadet Blizzard, a group affiliated with the GRU, collaborated with cybercriminal communities to conduct espionage operations and hack-and-leak attacks.

Russia occasionally arrests cybercriminals, but this is often done with the aim of recruiting them, according to another IISS report, ‘Russian Information Warfare Doctrine in Action’. For example, after high-profile arrests in early 2022 of REvil cyber fraudsters, carried out at the request of the United States, Russia stated it would not extradite REvil members who held Russian citizenship. Subsequently, some of those arrested were coerced into cooperating with the state. In effect, a US-led law enforcement investigation was used by Russian authorities to reinforce their own cyber fraud networks.

Some cybercriminal groups based in Russia, such as Conti and LockBit, have openly declared their loyalty to the state, even without being coerced (though Conti later disbanded due to internal disputes following Russia’s full-scale invasion of Ukraine). At present, experts believe Russia is using state-linked cybercriminal elements for intelligence operations targeting Ukraine, as well as laundering money via cryptocurrency, a portion of which is reportedly used to purchase military equipment for the Russian army.

The Kremlin’s principal mechanism for interacting with cybercrime, however, is what might be termed a criminal contract. Nearly half of the individuals on the most-wanted list published by the German Federal Criminal Police Office (BKA) are Russian cybercriminals. The BKA list is a highly effective tool: according to statistics, about 70% of suspects added to it since 1999 have been arrested. Yet Russian entries are an exception: despite extensive evidence collected against them by Western law enforcement and intelligence agencies, they remain beyond reach as long as they are inside Russia. This, according to a review by the German Institute for International and Security Affairs (SWP), enables cybercriminals to benefit from state protection, while the Russian regime gains a powerful tool of influence in return.

The example of the FSB’s Centre for Information Security (Centre 18, military unit 64829) clearly illustrates the interweaving of state interests and criminal activity. Although formally responsible for countering cybercrime, Centre 18 uses the data it gathers to recruit hackers for intelligence projects, the SWP report notes. In addition, the Centre runs its own cyber-espionage programme, including the group Star Blizzard, which since 2019 has collected intelligence on civilian organisations, defence assets, and government targets in NATO countries.

As with hacktivism, a system of 'masks' is frequently employed. That is, beyond directly recruiting cybercriminals, Russian intelligence services sometimes disguise themselves as criminal entities. For example, in 2024, the group Void Blizzard, which is linked to GRU Unit 26165, relied on credentials obtained via the dark web. These stolen login details were then used to infiltrate digital systems in NATO and EU countries, including the IT infrastructure of foreign ministries, defence departments, defence contractors, technology firms servicing government contracts, political parties, and journalists.

According to Dutch intelligence services AIVD and MIVD, the use of criminal tactics makes it significantly harder to distinguish GRU-linked activities from those of ordinary cybercriminals. Moreover, with growing demand for their services from intelligence agencies, Russian cybercriminals are now tailoring their offerings accordingly. For instance, the DanaBot network, which specialises in data theft and the distribution of malware, now produces tools both for criminal business (e.g. fraud, ransomware) and for espionage (e.g. theft of confidential information from military, diplomatic, and governmental sources).

The syndicate effect: Russia is the leader in cyber destruction, with Europe as its main target

Cybercriminals receive protection from prosecution or extradition while inside Russia, provided they refrain from attacking Russian targets or acting against Russian interests. As a result, Russia has become a safe haven for a wide array of malicious cyber activities.

Data from the European Cyber Incident Repository (EuRepoC) vividly illustrate this trend: only 4% of cyber incidents attributed to Russian cybercriminals targeted domestic entities. By contrast, this figure is twice as high for Chinese-origin operations (8%). For Western countries, the proportion of attacks on domestic targets is substantially greater: in the United States it exceeds the Russian rate by more than eightfold (31%), and in EU countries it is nearly 14 times higher (49%). The only actors with a lower domestic targeting rate are North Korean cybercriminals, at just 1%. The lower the rate of 'internal' targeting, the stronger the suspicion of a 'pact' between cybercriminals and state security forces. This exclusion of Russian targets is also evident on a technical level: certain malware strains, such as the Ryuk ransomware used by the Trickbot group (listed by the BKA), check the system’s language settings and self-destruct if Russian parameters are detected.

At the same time, this state protection, combined with technological sophistication, produces a clear quantitative impact. Russian-linked actors exhibit the highest level of activity in cyberspace: from January 2000 to May 2025, they were involved in 389 cyber incidents, compared to 351 attributed to Chinese actors. North Korean, American, and EU-based actors were responsible for significantly fewer incidents – 155, 68, and 50 respectively.

Between 2018 and 2021, the ratio of operations conducted by Chinese state actors versus those initiated by the Russian state was 54 to 46%. However, from 2022 to 2024, this ratio dramatically shifted in favour of Russian operations, reaching 17 to 83%, according to data from the EuRepoC report ‘Cyber Activity Balance 2024: The European Union in Focus’.

Overall, the total number of cyber operations targeting EU-based entities increased by 16% in 2024, while globally (excluding EU member states), this figure fell by 6.3%. This rise in the EU’s cyber insecurity was, to a large extent, driven by actions emanating from Moscow. The EuRepoC report also notes that since 2022, Russia-linked actors have focused on disruptive operations, ranging from low-cost but high-impact actions such as DDoS attacks to attempts to disable critical infrastructure in European countries. Of particular concern are developments in this area carried out by the GRU, especially its Unit 29155.

The diversification of methods and actors involved in cyber operations is intended to minimise the risk of exposure. A flexible recruitment system and a decentralised network of intermediaries allow for the fragmentation of tasks, thereby insulating the broader network: the compromise of one link does not endanger other actors or the operation as a whole. The inclusion of new operatives and/or the use of tools associated with criminal non-state groups is a deliberate tactic to blur the lines of state involvement.

What we are witnessing here are effects characteristic of the current stage in the evolution of the Russian regime: a deep interpenetration of the security services and the criminal underworld, their methods, and operating logics, which together shape the culture and framework of a unified 'mafia state.' At the same time, as many experts have pointed out, the overall effectiveness of Russia’s cyberwarfare against Ukraine has been relatively low, that is, certainly far below expectations. It is possible that this limited ability to conduct strategic operations with clearly defined practical objectives is a by-product of the institutional peculiarities of Russia’s cyber influence system.